1 diff -urNp linux-2.6.32.43/arch/alpha/include/asm/elf.h linux-2.6.32.43/arch/alpha/include/asm/elf.h
2 --- linux-2.6.32.43/arch/alpha/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3 +++ linux-2.6.32.43/arch/alpha/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
4 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.32.43/arch/alpha/include/asm/pgtable.h linux-2.6.32.43/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.32.43/arch/alpha/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
20 +++ linux-2.6.32.43/arch/alpha/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.32.43/arch/alpha/kernel/module.c linux-2.6.32.43/arch/alpha/kernel/module.c
40 --- linux-2.6.32.43/arch/alpha/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
41 +++ linux-2.6.32.43/arch/alpha/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.32.43/arch/alpha/kernel/osf_sys.c linux-2.6.32.43/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.32.43/arch/alpha/kernel/osf_sys.c 2011-03-27 14:31:47.000000000 -0400
53 +++ linux-2.6.32.43/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400
54 @@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
63 @@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
65 res = sysinfo_table[offset];
68 + if ((unsigned long)len > (unsigned long)count)
70 if (copy_to_user(buf, res, len))
72 @@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
76 - if (nbytes < sizeof(*hwrpb))
77 + if (nbytes > sizeof(*hwrpb))
79 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
81 @@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
85 + unsigned int status = 0;
89 @@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
93 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
94 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
95 + (struct rusage __user *) &r);
98 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
102 + err |= put_user(status, ustatus);
103 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
104 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
105 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
106 @@ -1169,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
107 /* At this point: (!vma || addr < vma->vm_end). */
108 if (limit - len < addr)
110 - if (!vma || addr + len <= vma->vm_start)
111 + if (check_heap_stack_gap(vma, addr, len))
115 @@ -1205,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
116 merely specific addresses, but regions of memory -- perhaps
117 this feature should be incorporated into all ports? */
119 +#ifdef CONFIG_PAX_RANDMMAP
120 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
124 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
125 if (addr != (unsigned long) -ENOMEM)
126 @@ -1212,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
129 /* Next, try allocating at TASK_UNMAPPED_BASE. */
130 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
132 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
134 if (addr != (unsigned long) -ENOMEM)
137 diff -urNp linux-2.6.32.43/arch/alpha/mm/fault.c linux-2.6.32.43/arch/alpha/mm/fault.c
138 --- linux-2.6.32.43/arch/alpha/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
139 +++ linux-2.6.32.43/arch/alpha/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
140 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
141 __reload_thread(pcb);
144 +#ifdef CONFIG_PAX_PAGEEXEC
146 + * PaX: decide what to do with offenders (regs->pc = fault address)
148 + * returns 1 when task should be killed
149 + * 2 when patched PLT trampoline was detected
150 + * 3 when unpatched PLT trampoline was detected
152 +static int pax_handle_fetch_fault(struct pt_regs *regs)
155 +#ifdef CONFIG_PAX_EMUPLT
158 + do { /* PaX: patched PLT emulation #1 */
159 + unsigned int ldah, ldq, jmp;
161 + err = get_user(ldah, (unsigned int *)regs->pc);
162 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
163 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
168 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
169 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
170 + jmp == 0x6BFB0000U)
172 + unsigned long r27, addr;
173 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
174 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
176 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
177 + err = get_user(r27, (unsigned long *)addr);
187 + do { /* PaX: patched PLT emulation #2 */
188 + unsigned int ldah, lda, br;
190 + err = get_user(ldah, (unsigned int *)regs->pc);
191 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
192 + err |= get_user(br, (unsigned int *)(regs->pc+8));
197 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
198 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
199 + (br & 0xFFE00000U) == 0xC3E00000U)
201 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
202 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
203 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
205 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
206 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
211 + do { /* PaX: unpatched PLT emulation */
214 + err = get_user(br, (unsigned int *)regs->pc);
216 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
217 + unsigned int br2, ldq, nop, jmp;
218 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
220 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
221 + err = get_user(br2, (unsigned int *)addr);
222 + err |= get_user(ldq, (unsigned int *)(addr+4));
223 + err |= get_user(nop, (unsigned int *)(addr+8));
224 + err |= get_user(jmp, (unsigned int *)(addr+12));
225 + err |= get_user(resolver, (unsigned long *)(addr+16));
230 + if (br2 == 0xC3600000U &&
231 + ldq == 0xA77B000CU &&
232 + nop == 0x47FF041FU &&
233 + jmp == 0x6B7B0000U)
235 + regs->r28 = regs->pc+4;
236 + regs->r27 = addr+16;
237 + regs->pc = resolver;
247 +void pax_report_insns(void *pc, void *sp)
251 + printk(KERN_ERR "PAX: bytes at PC: ");
252 + for (i = 0; i < 5; i++) {
254 + if (get_user(c, (unsigned int *)pc+i))
255 + printk(KERN_CONT "???????? ");
257 + printk(KERN_CONT "%08x ", c);
264 * This routine handles page faults. It determines the address,
265 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
267 si_code = SEGV_ACCERR;
269 - if (!(vma->vm_flags & VM_EXEC))
270 + if (!(vma->vm_flags & VM_EXEC)) {
272 +#ifdef CONFIG_PAX_PAGEEXEC
273 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
276 + up_read(&mm->mmap_sem);
277 + switch (pax_handle_fetch_fault(regs)) {
279 +#ifdef CONFIG_PAX_EMUPLT
286 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
287 + do_group_exit(SIGKILL);
294 /* Allow reads even for write-only mappings */
295 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
296 diff -urNp linux-2.6.32.43/arch/arm/include/asm/elf.h linux-2.6.32.43/arch/arm/include/asm/elf.h
297 --- linux-2.6.32.43/arch/arm/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
298 +++ linux-2.6.32.43/arch/arm/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
299 @@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
300 the loader. We need to make sure that it is out of the way of the program
301 that it will "exec", and that there is sufficient room for the brk. */
303 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
304 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
306 +#ifdef CONFIG_PAX_ASLR
307 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
309 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
310 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 /* When the program starts, a1 contains a pointer to a function to be
314 registered with atexit, as per the SVR4 ABI. A value of 0 means we
315 diff -urNp linux-2.6.32.43/arch/arm/include/asm/kmap_types.h linux-2.6.32.43/arch/arm/include/asm/kmap_types.h
316 --- linux-2.6.32.43/arch/arm/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
317 +++ linux-2.6.32.43/arch/arm/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
318 @@ -19,6 +19,7 @@ enum km_type {
326 diff -urNp linux-2.6.32.43/arch/arm/include/asm/uaccess.h linux-2.6.32.43/arch/arm/include/asm/uaccess.h
327 --- linux-2.6.32.43/arch/arm/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
328 +++ linux-2.6.32.43/arch/arm/include/asm/uaccess.h 2011-06-29 21:02:24.000000000 -0400
330 #define VERIFY_READ 0
331 #define VERIFY_WRITE 1
333 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
336 * The exception table consists of pairs of addresses: the first is the
337 * address of an instruction that is allowed to fault, and the second is
338 @@ -387,8 +389,23 @@ do { \
342 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
343 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
344 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
345 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
347 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
349 + if (!__builtin_constant_p(n))
350 + check_object_size(to, n, false);
351 + return ___copy_from_user(to, from, n);
354 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
356 + if (!__builtin_constant_p(n))
357 + check_object_size(from, n, true);
358 + return ___copy_to_user(to, from, n);
361 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
362 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
363 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
364 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
366 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
371 if (access_ok(VERIFY_READ, from, n))
372 n = __copy_from_user(to, from, n);
373 else /* security hole - plug it */
374 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
376 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
381 if (access_ok(VERIFY_WRITE, to, n))
382 n = __copy_to_user(to, from, n);
384 diff -urNp linux-2.6.32.43/arch/arm/kernel/armksyms.c linux-2.6.32.43/arch/arm/kernel/armksyms.c
385 --- linux-2.6.32.43/arch/arm/kernel/armksyms.c 2011-03-27 14:31:47.000000000 -0400
386 +++ linux-2.6.32.43/arch/arm/kernel/armksyms.c 2011-07-06 19:51:50.000000000 -0400
387 @@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
389 EXPORT_SYMBOL(copy_page);
391 -EXPORT_SYMBOL(__copy_from_user);
392 -EXPORT_SYMBOL(__copy_to_user);
393 +EXPORT_SYMBOL(___copy_from_user);
394 +EXPORT_SYMBOL(___copy_to_user);
395 EXPORT_SYMBOL(__clear_user);
397 EXPORT_SYMBOL(__get_user_1);
398 diff -urNp linux-2.6.32.43/arch/arm/kernel/kgdb.c linux-2.6.32.43/arch/arm/kernel/kgdb.c
399 --- linux-2.6.32.43/arch/arm/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
400 +++ linux-2.6.32.43/arch/arm/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
401 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
402 * and we handle the normal undef case within the do_undefinstr
405 -struct kgdb_arch arch_kgdb_ops = {
406 +const struct kgdb_arch arch_kgdb_ops = {
408 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
409 #else /* ! __ARMEB__ */
410 diff -urNp linux-2.6.32.43/arch/arm/kernel/traps.c linux-2.6.32.43/arch/arm/kernel/traps.c
411 --- linux-2.6.32.43/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
412 +++ linux-2.6.32.43/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400
413 @@ -247,6 +247,8 @@ static void __die(const char *str, int e
415 DEFINE_SPINLOCK(die_lock);
417 +extern void gr_handle_kernel_exploit(void);
420 * This function is protected against re-entrancy.
422 @@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
424 panic("Fatal exception");
426 + gr_handle_kernel_exploit();
431 diff -urNp linux-2.6.32.43/arch/arm/lib/copy_from_user.S linux-2.6.32.43/arch/arm/lib/copy_from_user.S
432 --- linux-2.6.32.43/arch/arm/lib/copy_from_user.S 2011-03-27 14:31:47.000000000 -0400
433 +++ linux-2.6.32.43/arch/arm/lib/copy_from_user.S 2011-06-29 20:48:38.000000000 -0400
438 - * size_t __copy_from_user(void *to, const void *from, size_t n)
439 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
447 -ENTRY(__copy_from_user)
448 +ENTRY(___copy_from_user)
450 #include "copy_template.S"
452 -ENDPROC(__copy_from_user)
453 +ENDPROC(___copy_from_user)
457 diff -urNp linux-2.6.32.43/arch/arm/lib/copy_to_user.S linux-2.6.32.43/arch/arm/lib/copy_to_user.S
458 --- linux-2.6.32.43/arch/arm/lib/copy_to_user.S 2011-03-27 14:31:47.000000000 -0400
459 +++ linux-2.6.32.43/arch/arm/lib/copy_to_user.S 2011-06-29 20:46:49.000000000 -0400
464 - * size_t __copy_to_user(void *to, const void *from, size_t n)
465 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
472 ENTRY(__copy_to_user_std)
473 -WEAK(__copy_to_user)
474 +WEAK(___copy_to_user)
476 #include "copy_template.S"
478 -ENDPROC(__copy_to_user)
479 +ENDPROC(___copy_to_user)
483 diff -urNp linux-2.6.32.43/arch/arm/lib/uaccess.S linux-2.6.32.43/arch/arm/lib/uaccess.S
484 --- linux-2.6.32.43/arch/arm/lib/uaccess.S 2011-03-27 14:31:47.000000000 -0400
485 +++ linux-2.6.32.43/arch/arm/lib/uaccess.S 2011-06-29 20:48:53.000000000 -0400
488 #define PAGE_SHIFT 12
490 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
491 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
492 * Purpose : copy a block to user memory from kernel memory
493 * Params : to - user memory
494 * : from - kernel memory
495 @@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
499 -ENTRY(__copy_to_user)
500 +ENTRY(___copy_to_user)
501 stmfd sp!, {r2, r4 - r7, lr}
504 @@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
506 USER( strgtbt r3, [r0], #1) @ May fault
508 -ENDPROC(__copy_to_user)
509 +ENDPROC(___copy_to_user)
513 9001: ldmfd sp!, {r0, r4 - r7, pc}
516 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
517 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
518 * Purpose : copy a block from user memory to kernel memory
519 * Params : to - kernel memory
520 * : from - user memory
521 @@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
525 -ENTRY(__copy_from_user)
526 +ENTRY(___copy_from_user)
527 stmfd sp!, {r0, r2, r4 - r7, lr}
530 @@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
531 USER( ldrgtbt r3, [r1], #1) @ May fault
534 -ENDPROC(__copy_from_user)
535 +ENDPROC(___copy_from_user)
539 diff -urNp linux-2.6.32.43/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.43/arch/arm/lib/uaccess_with_memcpy.c
540 --- linux-2.6.32.43/arch/arm/lib/uaccess_with_memcpy.c 2011-03-27 14:31:47.000000000 -0400
541 +++ linux-2.6.32.43/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:44:35.000000000 -0400
542 @@ -97,7 +97,7 @@ out:
546 -__copy_to_user(void __user *to, const void *from, unsigned long n)
547 +___copy_to_user(void __user *to, const void *from, unsigned long n)
550 * This test is stubbed out of the main function above to keep
551 diff -urNp linux-2.6.32.43/arch/arm/mach-at91/pm.c linux-2.6.32.43/arch/arm/mach-at91/pm.c
552 --- linux-2.6.32.43/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400
553 +++ linux-2.6.32.43/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400
554 @@ -348,7 +348,7 @@ static void at91_pm_end(void)
558 -static struct platform_suspend_ops at91_pm_ops ={
559 +static const struct platform_suspend_ops at91_pm_ops ={
560 .valid = at91_pm_valid_state,
561 .begin = at91_pm_begin,
562 .enter = at91_pm_enter,
563 diff -urNp linux-2.6.32.43/arch/arm/mach-omap1/pm.c linux-2.6.32.43/arch/arm/mach-omap1/pm.c
564 --- linux-2.6.32.43/arch/arm/mach-omap1/pm.c 2011-03-27 14:31:47.000000000 -0400
565 +++ linux-2.6.32.43/arch/arm/mach-omap1/pm.c 2011-04-17 15:56:45.000000000 -0400
566 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
570 -static struct platform_suspend_ops omap_pm_ops ={
571 +static const struct platform_suspend_ops omap_pm_ops ={
572 .prepare = omap_pm_prepare,
573 .enter = omap_pm_enter,
574 .finish = omap_pm_finish,
575 diff -urNp linux-2.6.32.43/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.43/arch/arm/mach-omap2/pm24xx.c
576 --- linux-2.6.32.43/arch/arm/mach-omap2/pm24xx.c 2011-03-27 14:31:47.000000000 -0400
577 +++ linux-2.6.32.43/arch/arm/mach-omap2/pm24xx.c 2011-04-17 15:56:45.000000000 -0400
578 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
582 -static struct platform_suspend_ops omap_pm_ops = {
583 +static const struct platform_suspend_ops omap_pm_ops = {
584 .prepare = omap2_pm_prepare,
585 .enter = omap2_pm_enter,
586 .finish = omap2_pm_finish,
587 diff -urNp linux-2.6.32.43/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.43/arch/arm/mach-omap2/pm34xx.c
588 --- linux-2.6.32.43/arch/arm/mach-omap2/pm34xx.c 2011-03-27 14:31:47.000000000 -0400
589 +++ linux-2.6.32.43/arch/arm/mach-omap2/pm34xx.c 2011-04-17 15:56:45.000000000 -0400
590 @@ -401,7 +401,7 @@ static void omap3_pm_end(void)
594 -static struct platform_suspend_ops omap_pm_ops = {
595 +static const struct platform_suspend_ops omap_pm_ops = {
596 .begin = omap3_pm_begin,
598 .prepare = omap3_pm_prepare,
599 diff -urNp linux-2.6.32.43/arch/arm/mach-pnx4008/pm.c linux-2.6.32.43/arch/arm/mach-pnx4008/pm.c
600 --- linux-2.6.32.43/arch/arm/mach-pnx4008/pm.c 2011-03-27 14:31:47.000000000 -0400
601 +++ linux-2.6.32.43/arch/arm/mach-pnx4008/pm.c 2011-04-17 15:56:45.000000000 -0400
602 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
603 (state == PM_SUSPEND_MEM);
606 -static struct platform_suspend_ops pnx4008_pm_ops = {
607 +static const struct platform_suspend_ops pnx4008_pm_ops = {
608 .enter = pnx4008_pm_enter,
609 .valid = pnx4008_pm_valid,
611 diff -urNp linux-2.6.32.43/arch/arm/mach-pxa/pm.c linux-2.6.32.43/arch/arm/mach-pxa/pm.c
612 --- linux-2.6.32.43/arch/arm/mach-pxa/pm.c 2011-03-27 14:31:47.000000000 -0400
613 +++ linux-2.6.32.43/arch/arm/mach-pxa/pm.c 2011-04-17 15:56:45.000000000 -0400
614 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
615 pxa_cpu_pm_fns->finish();
618 -static struct platform_suspend_ops pxa_pm_ops = {
619 +static const struct platform_suspend_ops pxa_pm_ops = {
620 .valid = pxa_pm_valid,
621 .enter = pxa_pm_enter,
622 .prepare = pxa_pm_prepare,
623 diff -urNp linux-2.6.32.43/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.43/arch/arm/mach-pxa/sharpsl_pm.c
624 --- linux-2.6.32.43/arch/arm/mach-pxa/sharpsl_pm.c 2011-03-27 14:31:47.000000000 -0400
625 +++ linux-2.6.32.43/arch/arm/mach-pxa/sharpsl_pm.c 2011-04-17 15:56:45.000000000 -0400
626 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
630 -static struct platform_suspend_ops sharpsl_pm_ops = {
631 +static const struct platform_suspend_ops sharpsl_pm_ops = {
632 .prepare = pxa_pm_prepare,
633 .finish = pxa_pm_finish,
634 .enter = corgi_pxa_pm_enter,
635 diff -urNp linux-2.6.32.43/arch/arm/mach-sa1100/pm.c linux-2.6.32.43/arch/arm/mach-sa1100/pm.c
636 --- linux-2.6.32.43/arch/arm/mach-sa1100/pm.c 2011-03-27 14:31:47.000000000 -0400
637 +++ linux-2.6.32.43/arch/arm/mach-sa1100/pm.c 2011-04-17 15:56:45.000000000 -0400
638 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
639 return virt_to_phys(sp);
642 -static struct platform_suspend_ops sa11x0_pm_ops = {
643 +static const struct platform_suspend_ops sa11x0_pm_ops = {
644 .enter = sa11x0_pm_enter,
645 .valid = suspend_valid_only_mem,
647 diff -urNp linux-2.6.32.43/arch/arm/mm/fault.c linux-2.6.32.43/arch/arm/mm/fault.c
648 --- linux-2.6.32.43/arch/arm/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
649 +++ linux-2.6.32.43/arch/arm/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
650 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
654 +#ifdef CONFIG_PAX_PAGEEXEC
655 + if (fsr & FSR_LNX_PF) {
656 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
657 + do_group_exit(SIGKILL);
661 tsk->thread.address = addr;
662 tsk->thread.error_code = fsr;
663 tsk->thread.trap_no = 14;
664 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
666 #endif /* CONFIG_MMU */
668 +#ifdef CONFIG_PAX_PAGEEXEC
669 +void pax_report_insns(void *pc, void *sp)
673 + printk(KERN_ERR "PAX: bytes at PC: ");
674 + for (i = 0; i < 20; i++) {
676 + if (get_user(c, (__force unsigned char __user *)pc+i))
677 + printk(KERN_CONT "?? ");
679 + printk(KERN_CONT "%02x ", c);
683 + printk(KERN_ERR "PAX: bytes at SP-4: ");
684 + for (i = -1; i < 20; i++) {
686 + if (get_user(c, (__force unsigned long __user *)sp+i))
687 + printk(KERN_CONT "???????? ");
689 + printk(KERN_CONT "%08lx ", c);
696 * First Level Translation Fault Handler
698 diff -urNp linux-2.6.32.43/arch/arm/mm/mmap.c linux-2.6.32.43/arch/arm/mm/mmap.c
699 --- linux-2.6.32.43/arch/arm/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
700 +++ linux-2.6.32.43/arch/arm/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
701 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
705 +#ifdef CONFIG_PAX_RANDMMAP
706 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
711 addr = COLOUR_ALIGN(addr, pgoff);
712 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
713 addr = PAGE_ALIGN(addr);
715 vma = find_vma(mm, addr);
716 - if (TASK_SIZE - len >= addr &&
717 - (!vma || addr + len <= vma->vm_start))
718 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
721 if (len > mm->cached_hole_size) {
722 - start_addr = addr = mm->free_area_cache;
723 + start_addr = addr = mm->free_area_cache;
725 - start_addr = addr = TASK_UNMAPPED_BASE;
726 - mm->cached_hole_size = 0;
727 + start_addr = addr = mm->mmap_base;
728 + mm->cached_hole_size = 0;
732 @@ -94,14 +97,14 @@ full_search:
733 * Start a new search - just in case we missed
736 - if (start_addr != TASK_UNMAPPED_BASE) {
737 - start_addr = addr = TASK_UNMAPPED_BASE;
738 + if (start_addr != mm->mmap_base) {
739 + start_addr = addr = mm->mmap_base;
740 mm->cached_hole_size = 0;
745 - if (!vma || addr + len <= vma->vm_start) {
746 + if (check_heap_stack_gap(vma, addr, len)) {
748 * Remember the place where we stopped the search:
750 diff -urNp linux-2.6.32.43/arch/arm/plat-s3c/pm.c linux-2.6.32.43/arch/arm/plat-s3c/pm.c
751 --- linux-2.6.32.43/arch/arm/plat-s3c/pm.c 2011-03-27 14:31:47.000000000 -0400
752 +++ linux-2.6.32.43/arch/arm/plat-s3c/pm.c 2011-04-17 15:56:45.000000000 -0400
753 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
754 s3c_pm_check_cleanup();
757 -static struct platform_suspend_ops s3c_pm_ops = {
758 +static const struct platform_suspend_ops s3c_pm_ops = {
759 .enter = s3c_pm_enter,
760 .prepare = s3c_pm_prepare,
761 .finish = s3c_pm_finish,
762 diff -urNp linux-2.6.32.43/arch/avr32/include/asm/elf.h linux-2.6.32.43/arch/avr32/include/asm/elf.h
763 --- linux-2.6.32.43/arch/avr32/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
764 +++ linux-2.6.32.43/arch/avr32/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
765 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
766 the loader. We need to make sure that it is out of the way of the program
767 that it will "exec", and that there is sufficient room for the brk. */
769 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
770 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
775 +#define PAX_DELTA_MMAP_LEN 15
776 +#define PAX_DELTA_STACK_LEN 15
779 /* This yields a mask that user programs can use to figure out what
780 instruction set this CPU supports. This could be done in user space,
781 diff -urNp linux-2.6.32.43/arch/avr32/include/asm/kmap_types.h linux-2.6.32.43/arch/avr32/include/asm/kmap_types.h
782 --- linux-2.6.32.43/arch/avr32/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
783 +++ linux-2.6.32.43/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
784 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
794 diff -urNp linux-2.6.32.43/arch/avr32/mach-at32ap/pm.c linux-2.6.32.43/arch/avr32/mach-at32ap/pm.c
795 --- linux-2.6.32.43/arch/avr32/mach-at32ap/pm.c 2011-03-27 14:31:47.000000000 -0400
796 +++ linux-2.6.32.43/arch/avr32/mach-at32ap/pm.c 2011-04-17 15:56:45.000000000 -0400
797 @@ -176,7 +176,7 @@ out:
801 -static struct platform_suspend_ops avr32_pm_ops = {
802 +static const struct platform_suspend_ops avr32_pm_ops = {
803 .valid = avr32_pm_valid_state,
804 .enter = avr32_pm_enter,
806 diff -urNp linux-2.6.32.43/arch/avr32/mm/fault.c linux-2.6.32.43/arch/avr32/mm/fault.c
807 --- linux-2.6.32.43/arch/avr32/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
808 +++ linux-2.6.32.43/arch/avr32/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
809 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
811 int exception_trace = 1;
813 +#ifdef CONFIG_PAX_PAGEEXEC
814 +void pax_report_insns(void *pc, void *sp)
818 + printk(KERN_ERR "PAX: bytes at PC: ");
819 + for (i = 0; i < 20; i++) {
821 + if (get_user(c, (unsigned char *)pc+i))
822 + printk(KERN_CONT "???????? ");
824 + printk(KERN_CONT "%02x ", c);
831 * This routine handles page faults. It determines the address and the
832 * problem, and then passes it off to one of the appropriate routines.
833 @@ -157,6 +174,16 @@ bad_area:
834 up_read(&mm->mmap_sem);
836 if (user_mode(regs)) {
838 +#ifdef CONFIG_PAX_PAGEEXEC
839 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
840 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
841 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
842 + do_group_exit(SIGKILL);
847 if (exception_trace && printk_ratelimit())
848 printk("%s%s[%d]: segfault at %08lx pc %08lx "
849 "sp %08lx ecr %lu\n",
850 diff -urNp linux-2.6.32.43/arch/blackfin/kernel/kgdb.c linux-2.6.32.43/arch/blackfin/kernel/kgdb.c
851 --- linux-2.6.32.43/arch/blackfin/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
852 +++ linux-2.6.32.43/arch/blackfin/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
853 @@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
854 return -1; /* this means that we do not want to exit from the handler */
857 -struct kgdb_arch arch_kgdb_ops = {
858 +const struct kgdb_arch arch_kgdb_ops = {
859 .gdb_bpt_instr = {0xa1},
861 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
862 diff -urNp linux-2.6.32.43/arch/blackfin/mach-common/pm.c linux-2.6.32.43/arch/blackfin/mach-common/pm.c
863 --- linux-2.6.32.43/arch/blackfin/mach-common/pm.c 2011-03-27 14:31:47.000000000 -0400
864 +++ linux-2.6.32.43/arch/blackfin/mach-common/pm.c 2011-04-17 15:56:45.000000000 -0400
865 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
869 -struct platform_suspend_ops bfin_pm_ops = {
870 +const struct platform_suspend_ops bfin_pm_ops = {
871 .enter = bfin_pm_enter,
872 .valid = bfin_pm_valid,
874 diff -urNp linux-2.6.32.43/arch/frv/include/asm/kmap_types.h linux-2.6.32.43/arch/frv/include/asm/kmap_types.h
875 --- linux-2.6.32.43/arch/frv/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
876 +++ linux-2.6.32.43/arch/frv/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
877 @@ -23,6 +23,7 @@ enum km_type {
885 diff -urNp linux-2.6.32.43/arch/frv/mm/elf-fdpic.c linux-2.6.32.43/arch/frv/mm/elf-fdpic.c
886 --- linux-2.6.32.43/arch/frv/mm/elf-fdpic.c 2011-03-27 14:31:47.000000000 -0400
887 +++ linux-2.6.32.43/arch/frv/mm/elf-fdpic.c 2011-04-17 15:56:45.000000000 -0400
888 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
890 addr = PAGE_ALIGN(addr);
891 vma = find_vma(current->mm, addr);
892 - if (TASK_SIZE - len >= addr &&
893 - (!vma || addr + len <= vma->vm_start))
894 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
898 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
899 for (; vma; vma = vma->vm_next) {
902 - if (addr + len <= vma->vm_start)
903 + if (check_heap_stack_gap(vma, addr, len))
907 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
908 for (; vma; vma = vma->vm_next) {
911 - if (addr + len <= vma->vm_start)
912 + if (check_heap_stack_gap(vma, addr, len))
916 diff -urNp linux-2.6.32.43/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.43/arch/ia64/hp/common/hwsw_iommu.c
917 --- linux-2.6.32.43/arch/ia64/hp/common/hwsw_iommu.c 2011-03-27 14:31:47.000000000 -0400
918 +++ linux-2.6.32.43/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:56:45.000000000 -0400
920 #include <linux/swiotlb.h>
921 #include <asm/machvec.h>
923 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
924 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
926 /* swiotlb declarations & definitions: */
927 extern int swiotlb_late_init_with_default_size (size_t size);
928 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
929 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
932 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
933 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
935 if (use_swiotlb(dev))
936 return &swiotlb_dma_ops;
937 diff -urNp linux-2.6.32.43/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.43/arch/ia64/hp/common/sba_iommu.c
938 --- linux-2.6.32.43/arch/ia64/hp/common/sba_iommu.c 2011-03-27 14:31:47.000000000 -0400
939 +++ linux-2.6.32.43/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:56:45.000000000 -0400
940 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
944 -extern struct dma_map_ops swiotlb_dma_ops;
945 +extern const struct dma_map_ops swiotlb_dma_ops;
949 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
951 __setup("sbapagesize=",sba_page_override);
953 -struct dma_map_ops sba_dma_ops = {
954 +const struct dma_map_ops sba_dma_ops = {
955 .alloc_coherent = sba_alloc_coherent,
956 .free_coherent = sba_free_coherent,
957 .map_page = sba_map_page,
958 diff -urNp linux-2.6.32.43/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.43/arch/ia64/ia32/binfmt_elf32.c
959 --- linux-2.6.32.43/arch/ia64/ia32/binfmt_elf32.c 2011-03-27 14:31:47.000000000 -0400
960 +++ linux-2.6.32.43/arch/ia64/ia32/binfmt_elf32.c 2011-04-17 15:56:45.000000000 -0400
961 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
963 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
965 +#ifdef CONFIG_PAX_ASLR
966 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
968 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
969 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
972 /* Ugly but avoids duplication */
973 #include "../../../fs/binfmt_elf.c"
975 diff -urNp linux-2.6.32.43/arch/ia64/ia32/ia32priv.h linux-2.6.32.43/arch/ia64/ia32/ia32priv.h
976 --- linux-2.6.32.43/arch/ia64/ia32/ia32priv.h 2011-03-27 14:31:47.000000000 -0400
977 +++ linux-2.6.32.43/arch/ia64/ia32/ia32priv.h 2011-04-17 15:56:45.000000000 -0400
978 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
979 #define ELF_DATA ELFDATA2LSB
980 #define ELF_ARCH EM_386
982 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
983 +#ifdef CONFIG_PAX_RANDUSTACK
984 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
986 +#define __IA32_DELTA_STACK 0UL
989 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
991 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
992 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
994 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.43/arch/ia64/include/asm/dma-mapping.h
995 --- linux-2.6.32.43/arch/ia64/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
996 +++ linux-2.6.32.43/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
999 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
1001 -extern struct dma_map_ops *dma_ops;
1002 +extern const struct dma_map_ops *dma_ops;
1003 extern struct ia64_machine_vector ia64_mv;
1004 extern void set_iommu_machvec(void);
1006 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
1007 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1008 dma_addr_t *daddr, gfp_t gfp)
1010 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1011 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1014 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
1015 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
1016 static inline void dma_free_coherent(struct device *dev, size_t size,
1017 void *caddr, dma_addr_t daddr)
1019 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1020 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1021 debug_dma_free_coherent(dev, size, caddr, daddr);
1022 ops->free_coherent(dev, size, caddr, daddr);
1024 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
1026 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
1028 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1029 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1030 return ops->mapping_error(dev, daddr);
1033 static inline int dma_supported(struct device *dev, u64 mask)
1035 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
1036 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
1037 return ops->dma_supported(dev, mask);
1040 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/elf.h linux-2.6.32.43/arch/ia64/include/asm/elf.h
1041 --- linux-2.6.32.43/arch/ia64/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1042 +++ linux-2.6.32.43/arch/ia64/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1045 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
1047 +#ifdef CONFIG_PAX_ASLR
1048 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
1050 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1051 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1054 #define PT_IA_64_UNWIND 0x70000001
1056 /* IA-64 relocations: */
1057 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/machvec.h linux-2.6.32.43/arch/ia64/include/asm/machvec.h
1058 --- linux-2.6.32.43/arch/ia64/include/asm/machvec.h 2011-03-27 14:31:47.000000000 -0400
1059 +++ linux-2.6.32.43/arch/ia64/include/asm/machvec.h 2011-04-17 15:56:45.000000000 -0400
1060 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1061 /* DMA-mapping interface: */
1062 typedef void ia64_mv_dma_init (void);
1063 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1064 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1065 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1068 * WARNING: The legacy I/O space is _architected_. Platforms are
1069 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1070 # endif /* CONFIG_IA64_GENERIC */
1072 extern void swiotlb_dma_init(void);
1073 -extern struct dma_map_ops *dma_get_ops(struct device *);
1074 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1077 * Define default versions so we can extend machvec for new platforms without having
1078 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/pgtable.h linux-2.6.32.43/arch/ia64/include/asm/pgtable.h
1079 --- linux-2.6.32.43/arch/ia64/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1080 +++ linux-2.6.32.43/arch/ia64/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1082 * David Mosberger-Tang <davidm@hpl.hp.com>
1086 +#include <linux/const.h>
1087 #include <asm/mman.h>
1088 #include <asm/page.h>
1089 #include <asm/processor.h>
1090 @@ -143,6 +143,17 @@
1091 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1092 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1093 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1095 +#ifdef CONFIG_PAX_PAGEEXEC
1096 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1097 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1098 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1100 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1101 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1102 +# define PAGE_COPY_NOEXEC PAGE_COPY
1105 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1106 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1107 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1108 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/spinlock.h linux-2.6.32.43/arch/ia64/include/asm/spinlock.h
1109 --- linux-2.6.32.43/arch/ia64/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
1110 +++ linux-2.6.32.43/arch/ia64/include/asm/spinlock.h 2011-04-17 15:56:45.000000000 -0400
1111 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1112 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1114 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1115 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1116 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1119 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1120 diff -urNp linux-2.6.32.43/arch/ia64/include/asm/uaccess.h linux-2.6.32.43/arch/ia64/include/asm/uaccess.h
1121 --- linux-2.6.32.43/arch/ia64/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
1122 +++ linux-2.6.32.43/arch/ia64/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
1123 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1124 const void *__cu_from = (from); \
1125 long __cu_len = (n); \
1127 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1128 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1129 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1132 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1133 long __cu_len = (n); \
1135 __chk_user_ptr(__cu_from); \
1136 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1137 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1138 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1141 diff -urNp linux-2.6.32.43/arch/ia64/kernel/dma-mapping.c linux-2.6.32.43/arch/ia64/kernel/dma-mapping.c
1142 --- linux-2.6.32.43/arch/ia64/kernel/dma-mapping.c 2011-03-27 14:31:47.000000000 -0400
1143 +++ linux-2.6.32.43/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:56:45.000000000 -0400
1145 /* Set this to 1 if there is a HW IOMMU in the system */
1146 int iommu_detected __read_mostly;
1148 -struct dma_map_ops *dma_ops;
1149 +const struct dma_map_ops *dma_ops;
1150 EXPORT_SYMBOL(dma_ops);
1152 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1153 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1155 fs_initcall(dma_init);
1157 -struct dma_map_ops *dma_get_ops(struct device *dev)
1158 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1162 diff -urNp linux-2.6.32.43/arch/ia64/kernel/module.c linux-2.6.32.43/arch/ia64/kernel/module.c
1163 --- linux-2.6.32.43/arch/ia64/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1164 +++ linux-2.6.32.43/arch/ia64/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1165 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1167 module_free (struct module *mod, void *module_region)
1169 - if (mod && mod->arch.init_unw_table &&
1170 - module_region == mod->module_init) {
1171 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1172 unw_remove_unwind_table(mod->arch.init_unw_table);
1173 mod->arch.init_unw_table = NULL;
1175 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1179 +in_init_rx (const struct module *mod, uint64_t addr)
1181 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1185 +in_init_rw (const struct module *mod, uint64_t addr)
1187 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1191 in_init (const struct module *mod, uint64_t addr)
1193 - return addr - (uint64_t) mod->module_init < mod->init_size;
1194 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1198 +in_core_rx (const struct module *mod, uint64_t addr)
1200 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1204 +in_core_rw (const struct module *mod, uint64_t addr)
1206 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1210 in_core (const struct module *mod, uint64_t addr)
1212 - return addr - (uint64_t) mod->module_core < mod->core_size;
1213 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1217 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1221 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1222 + if (in_init_rx(mod, val))
1223 + val -= (uint64_t) mod->module_init_rx;
1224 + else if (in_init_rw(mod, val))
1225 + val -= (uint64_t) mod->module_init_rw;
1226 + else if (in_core_rx(mod, val))
1227 + val -= (uint64_t) mod->module_core_rx;
1228 + else if (in_core_rw(mod, val))
1229 + val -= (uint64_t) mod->module_core_rw;
1233 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1234 * addresses have been selected...
1237 - if (mod->core_size > MAX_LTOFF)
1238 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1240 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1241 * at the end of the module.
1243 - gp = mod->core_size - MAX_LTOFF / 2;
1244 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1246 - gp = mod->core_size / 2;
1247 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1248 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1249 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1251 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1253 diff -urNp linux-2.6.32.43/arch/ia64/kernel/pci-dma.c linux-2.6.32.43/arch/ia64/kernel/pci-dma.c
1254 --- linux-2.6.32.43/arch/ia64/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
1255 +++ linux-2.6.32.43/arch/ia64/kernel/pci-dma.c 2011-04-17 15:56:45.000000000 -0400
1256 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1257 .dma_mask = &fallback_dev.coherent_dma_mask,
1260 -extern struct dma_map_ops intel_dma_ops;
1261 +extern const struct dma_map_ops intel_dma_ops;
1263 static int __init pci_iommu_init(void)
1265 @@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1267 EXPORT_SYMBOL(iommu_dma_supported);
1269 +extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1270 +extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1271 +extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1272 +extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1273 +extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1274 +extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1275 +extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1277 +static const struct dma_map_ops intel_iommu_dma_ops = {
1278 + /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1279 + .alloc_coherent = intel_alloc_coherent,
1280 + .free_coherent = intel_free_coherent,
1281 + .map_sg = intel_map_sg,
1282 + .unmap_sg = intel_unmap_sg,
1283 + .map_page = intel_map_page,
1284 + .unmap_page = intel_unmap_page,
1285 + .mapping_error = intel_mapping_error,
1287 + .sync_single_for_cpu = machvec_dma_sync_single,
1288 + .sync_sg_for_cpu = machvec_dma_sync_sg,
1289 + .sync_single_for_device = machvec_dma_sync_single,
1290 + .sync_sg_for_device = machvec_dma_sync_sg,
1291 + .dma_supported = iommu_dma_supported,
1294 void __init pci_iommu_alloc(void)
1296 - dma_ops = &intel_dma_ops;
1298 - dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1299 - dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1300 - dma_ops->sync_single_for_device = machvec_dma_sync_single;
1301 - dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1302 - dma_ops->dma_supported = iommu_dma_supported;
1303 + dma_ops = &intel_iommu_dma_ops;
1306 * The order of these functions is important for
1307 diff -urNp linux-2.6.32.43/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.43/arch/ia64/kernel/pci-swiotlb.c
1308 --- linux-2.6.32.43/arch/ia64/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
1309 +++ linux-2.6.32.43/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
1310 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1311 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1314 -struct dma_map_ops swiotlb_dma_ops = {
1315 +const struct dma_map_ops swiotlb_dma_ops = {
1316 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1317 .free_coherent = swiotlb_free_coherent,
1318 .map_page = swiotlb_map_page,
1319 diff -urNp linux-2.6.32.43/arch/ia64/kernel/sys_ia64.c linux-2.6.32.43/arch/ia64/kernel/sys_ia64.c
1320 --- linux-2.6.32.43/arch/ia64/kernel/sys_ia64.c 2011-03-27 14:31:47.000000000 -0400
1321 +++ linux-2.6.32.43/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:56:45.000000000 -0400
1322 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1323 if (REGION_NUMBER(addr) == RGN_HPAGE)
1327 +#ifdef CONFIG_PAX_RANDMMAP
1328 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1329 + addr = mm->free_area_cache;
1334 addr = mm->free_area_cache;
1336 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1337 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1338 /* At this point: (!vma || addr < vma->vm_end). */
1339 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1340 - if (start_addr != TASK_UNMAPPED_BASE) {
1341 + if (start_addr != mm->mmap_base) {
1342 /* Start a new search --- just in case we missed some holes. */
1343 - addr = TASK_UNMAPPED_BASE;
1344 + addr = mm->mmap_base;
1349 - if (!vma || addr + len <= vma->vm_start) {
1350 + if (check_heap_stack_gap(vma, addr, len)) {
1351 /* Remember the address where we stopped this search: */
1352 mm->free_area_cache = addr + len;
1354 diff -urNp linux-2.6.32.43/arch/ia64/kernel/topology.c linux-2.6.32.43/arch/ia64/kernel/topology.c
1355 --- linux-2.6.32.43/arch/ia64/kernel/topology.c 2011-03-27 14:31:47.000000000 -0400
1356 +++ linux-2.6.32.43/arch/ia64/kernel/topology.c 2011-04-17 15:56:45.000000000 -0400
1357 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1361 -static struct sysfs_ops cache_sysfs_ops = {
1362 +static const struct sysfs_ops cache_sysfs_ops = {
1366 diff -urNp linux-2.6.32.43/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.43/arch/ia64/kernel/vmlinux.lds.S
1367 --- linux-2.6.32.43/arch/ia64/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
1368 +++ linux-2.6.32.43/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:56:45.000000000 -0400
1369 @@ -190,7 +190,7 @@ SECTIONS
1371 . = ALIGN(PERCPU_PAGE_SIZE);
1372 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1373 - __phys_per_cpu_start = __per_cpu_load;
1374 + __phys_per_cpu_start = per_cpu_load;
1375 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1376 * into percpu page size
1378 diff -urNp linux-2.6.32.43/arch/ia64/mm/fault.c linux-2.6.32.43/arch/ia64/mm/fault.c
1379 --- linux-2.6.32.43/arch/ia64/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1380 +++ linux-2.6.32.43/arch/ia64/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1381 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1382 return pte_present(pte);
1385 +#ifdef CONFIG_PAX_PAGEEXEC
1386 +void pax_report_insns(void *pc, void *sp)
1390 + printk(KERN_ERR "PAX: bytes at PC: ");
1391 + for (i = 0; i < 8; i++) {
1393 + if (get_user(c, (unsigned int *)pc+i))
1394 + printk(KERN_CONT "???????? ");
1396 + printk(KERN_CONT "%08x ", c);
1403 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1405 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1406 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1407 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1409 - if ((vma->vm_flags & mask) != mask)
1410 + if ((vma->vm_flags & mask) != mask) {
1412 +#ifdef CONFIG_PAX_PAGEEXEC
1413 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1414 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1417 + up_read(&mm->mmap_sem);
1418 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1419 + do_group_exit(SIGKILL);
1429 * If for any reason at all we couldn't handle the fault, make
1430 diff -urNp linux-2.6.32.43/arch/ia64/mm/hugetlbpage.c linux-2.6.32.43/arch/ia64/mm/hugetlbpage.c
1431 --- linux-2.6.32.43/arch/ia64/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
1432 +++ linux-2.6.32.43/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:56:45.000000000 -0400
1433 @@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1434 /* At this point: (!vmm || addr < vmm->vm_end). */
1435 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1437 - if (!vmm || (addr + len) <= vmm->vm_start)
1438 + if (check_heap_stack_gap(vmm, addr, len))
1440 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1442 diff -urNp linux-2.6.32.43/arch/ia64/mm/init.c linux-2.6.32.43/arch/ia64/mm/init.c
1443 --- linux-2.6.32.43/arch/ia64/mm/init.c 2011-03-27 14:31:47.000000000 -0400
1444 +++ linux-2.6.32.43/arch/ia64/mm/init.c 2011-04-17 15:56:45.000000000 -0400
1445 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1446 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1447 vma->vm_end = vma->vm_start + PAGE_SIZE;
1448 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1450 +#ifdef CONFIG_PAX_PAGEEXEC
1451 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1452 + vma->vm_flags &= ~VM_EXEC;
1454 +#ifdef CONFIG_PAX_MPROTECT
1455 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1456 + vma->vm_flags &= ~VM_MAYEXEC;
1462 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1463 down_write(¤t->mm->mmap_sem);
1464 if (insert_vm_struct(current->mm, vma)) {
1465 diff -urNp linux-2.6.32.43/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.43/arch/ia64/sn/pci/pci_dma.c
1466 --- linux-2.6.32.43/arch/ia64/sn/pci/pci_dma.c 2011-03-27 14:31:47.000000000 -0400
1467 +++ linux-2.6.32.43/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:56:45.000000000 -0400
1468 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1472 -static struct dma_map_ops sn_dma_ops = {
1473 +static const struct dma_map_ops sn_dma_ops = {
1474 .alloc_coherent = sn_dma_alloc_coherent,
1475 .free_coherent = sn_dma_free_coherent,
1476 .map_page = sn_dma_map_page,
1477 diff -urNp linux-2.6.32.43/arch/m32r/lib/usercopy.c linux-2.6.32.43/arch/m32r/lib/usercopy.c
1478 --- linux-2.6.32.43/arch/m32r/lib/usercopy.c 2011-03-27 14:31:47.000000000 -0400
1479 +++ linux-2.6.32.43/arch/m32r/lib/usercopy.c 2011-04-17 15:56:45.000000000 -0400
1482 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1488 if (access_ok(VERIFY_WRITE, to, n))
1489 __copy_user(to,from,n);
1490 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1492 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1498 if (access_ok(VERIFY_READ, from, n))
1499 __copy_user_zeroing(to,from,n);
1500 diff -urNp linux-2.6.32.43/arch/mips/alchemy/devboards/pm.c linux-2.6.32.43/arch/mips/alchemy/devboards/pm.c
1501 --- linux-2.6.32.43/arch/mips/alchemy/devboards/pm.c 2011-03-27 14:31:47.000000000 -0400
1502 +++ linux-2.6.32.43/arch/mips/alchemy/devboards/pm.c 2011-04-17 15:56:45.000000000 -0400
1503 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1507 -static struct platform_suspend_ops db1x_pm_ops = {
1508 +static const struct platform_suspend_ops db1x_pm_ops = {
1509 .valid = suspend_valid_only_mem,
1510 .begin = db1x_pm_begin,
1511 .enter = db1x_pm_enter,
1512 diff -urNp linux-2.6.32.43/arch/mips/include/asm/elf.h linux-2.6.32.43/arch/mips/include/asm/elf.h
1513 --- linux-2.6.32.43/arch/mips/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1514 +++ linux-2.6.32.43/arch/mips/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1515 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1516 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1519 +#ifdef CONFIG_PAX_ASLR
1520 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1522 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1523 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1526 #endif /* _ASM_ELF_H */
1527 diff -urNp linux-2.6.32.43/arch/mips/include/asm/page.h linux-2.6.32.43/arch/mips/include/asm/page.h
1528 --- linux-2.6.32.43/arch/mips/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
1529 +++ linux-2.6.32.43/arch/mips/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
1530 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1531 #ifdef CONFIG_CPU_MIPS32
1532 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1533 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1534 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1535 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1537 typedef struct { unsigned long long pte; } pte_t;
1538 #define pte_val(x) ((x).pte)
1539 diff -urNp linux-2.6.32.43/arch/mips/include/asm/system.h linux-2.6.32.43/arch/mips/include/asm/system.h
1540 --- linux-2.6.32.43/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
1541 +++ linux-2.6.32.43/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
1542 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1544 #define __ARCH_WANT_UNLOCKED_CTXSW
1546 -extern unsigned long arch_align_stack(unsigned long sp);
1547 +#define arch_align_stack(x) ((x) & ~0xfUL)
1549 #endif /* _ASM_SYSTEM_H */
1550 diff -urNp linux-2.6.32.43/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.43/arch/mips/kernel/binfmt_elfn32.c
1551 --- linux-2.6.32.43/arch/mips/kernel/binfmt_elfn32.c 2011-03-27 14:31:47.000000000 -0400
1552 +++ linux-2.6.32.43/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:56:45.000000000 -0400
1553 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1554 #undef ELF_ET_DYN_BASE
1555 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1557 +#ifdef CONFIG_PAX_ASLR
1558 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1560 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1561 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1564 #include <asm/processor.h>
1565 #include <linux/module.h>
1566 #include <linux/elfcore.h>
1567 diff -urNp linux-2.6.32.43/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.43/arch/mips/kernel/binfmt_elfo32.c
1568 --- linux-2.6.32.43/arch/mips/kernel/binfmt_elfo32.c 2011-03-27 14:31:47.000000000 -0400
1569 +++ linux-2.6.32.43/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:56:45.000000000 -0400
1570 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1571 #undef ELF_ET_DYN_BASE
1572 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1574 +#ifdef CONFIG_PAX_ASLR
1575 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1577 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1578 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1581 #include <asm/processor.h>
1584 diff -urNp linux-2.6.32.43/arch/mips/kernel/kgdb.c linux-2.6.32.43/arch/mips/kernel/kgdb.c
1585 --- linux-2.6.32.43/arch/mips/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1586 +++ linux-2.6.32.43/arch/mips/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1587 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1591 +/* cannot be const */
1592 struct kgdb_arch arch_kgdb_ops;
1595 diff -urNp linux-2.6.32.43/arch/mips/kernel/process.c linux-2.6.32.43/arch/mips/kernel/process.c
1596 --- linux-2.6.32.43/arch/mips/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
1597 +++ linux-2.6.32.43/arch/mips/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
1598 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1604 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1605 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1607 -unsigned long arch_align_stack(unsigned long sp)
1609 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1610 - sp -= get_random_int() & ~PAGE_MASK;
1612 - return sp & ALMASK;
1614 diff -urNp linux-2.6.32.43/arch/mips/kernel/syscall.c linux-2.6.32.43/arch/mips/kernel/syscall.c
1615 --- linux-2.6.32.43/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400
1616 +++ linux-2.6.32.43/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400
1617 @@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1619 if (filp || (flags & MAP_SHARED))
1622 +#ifdef CONFIG_PAX_RANDMMAP
1623 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1628 addr = COLOUR_ALIGN(addr, pgoff);
1630 addr = PAGE_ALIGN(addr);
1631 vmm = find_vma(current->mm, addr);
1632 - if (task_size - len >= addr &&
1633 - (!vmm || addr + len <= vmm->vm_start))
1634 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1637 - addr = TASK_UNMAPPED_BASE;
1638 + addr = current->mm->mmap_base;
1640 addr = COLOUR_ALIGN(addr, pgoff);
1642 @@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1643 /* At this point: (!vmm || addr < vmm->vm_end). */
1644 if (task_size - len < addr)
1646 - if (!vmm || addr + len <= vmm->vm_start)
1647 + if (check_heap_stack_gap(vmm, addr, len))
1651 diff -urNp linux-2.6.32.43/arch/mips/mm/fault.c linux-2.6.32.43/arch/mips/mm/fault.c
1652 --- linux-2.6.32.43/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1653 +++ linux-2.6.32.43/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1655 #include <asm/ptrace.h>
1656 #include <asm/highmem.h> /* For VMALLOC_END */
1658 +#ifdef CONFIG_PAX_PAGEEXEC
1659 +void pax_report_insns(void *pc, void *sp)
1663 + printk(KERN_ERR "PAX: bytes at PC: ");
1664 + for (i = 0; i < 5; i++) {
1666 + if (get_user(c, (unsigned int *)pc+i))
1667 + printk(KERN_CONT "???????? ");
1669 + printk(KERN_CONT "%08x ", c);
1676 * This routine handles page faults. It determines the address,
1677 * and the problem, and then passes it off to one of the appropriate
1678 diff -urNp linux-2.6.32.43/arch/parisc/include/asm/elf.h linux-2.6.32.43/arch/parisc/include/asm/elf.h
1679 --- linux-2.6.32.43/arch/parisc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1680 +++ linux-2.6.32.43/arch/parisc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1681 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1683 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1685 +#ifdef CONFIG_PAX_ASLR
1686 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1688 +#define PAX_DELTA_MMAP_LEN 16
1689 +#define PAX_DELTA_STACK_LEN 16
1692 /* This yields a mask that user programs can use to figure out what
1693 instruction set this CPU supports. This could be done in user space,
1694 but it's not easy, and we've already done it here. */
1695 diff -urNp linux-2.6.32.43/arch/parisc/include/asm/pgtable.h linux-2.6.32.43/arch/parisc/include/asm/pgtable.h
1696 --- linux-2.6.32.43/arch/parisc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1697 +++ linux-2.6.32.43/arch/parisc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1698 @@ -207,6 +207,17 @@
1699 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1700 #define PAGE_COPY PAGE_EXECREAD
1701 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1703 +#ifdef CONFIG_PAX_PAGEEXEC
1704 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1705 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1706 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1708 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1709 +# define PAGE_COPY_NOEXEC PAGE_COPY
1710 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1713 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1714 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1715 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1716 diff -urNp linux-2.6.32.43/arch/parisc/kernel/module.c linux-2.6.32.43/arch/parisc/kernel/module.c
1717 --- linux-2.6.32.43/arch/parisc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1718 +++ linux-2.6.32.43/arch/parisc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1721 /* three functions to determine where in the module core
1722 * or init pieces the location is */
1723 +static inline int in_init_rx(struct module *me, void *loc)
1725 + return (loc >= me->module_init_rx &&
1726 + loc < (me->module_init_rx + me->init_size_rx));
1729 +static inline int in_init_rw(struct module *me, void *loc)
1731 + return (loc >= me->module_init_rw &&
1732 + loc < (me->module_init_rw + me->init_size_rw));
1735 static inline int in_init(struct module *me, void *loc)
1737 - return (loc >= me->module_init &&
1738 - loc <= (me->module_init + me->init_size));
1739 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1742 +static inline int in_core_rx(struct module *me, void *loc)
1744 + return (loc >= me->module_core_rx &&
1745 + loc < (me->module_core_rx + me->core_size_rx));
1748 +static inline int in_core_rw(struct module *me, void *loc)
1750 + return (loc >= me->module_core_rw &&
1751 + loc < (me->module_core_rw + me->core_size_rw));
1754 static inline int in_core(struct module *me, void *loc)
1756 - return (loc >= me->module_core &&
1757 - loc <= (me->module_core + me->core_size));
1758 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1761 static inline int in_local(struct module *me, void *loc)
1762 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1765 /* align things a bit */
1766 - me->core_size = ALIGN(me->core_size, 16);
1767 - me->arch.got_offset = me->core_size;
1768 - me->core_size += gots * sizeof(struct got_entry);
1770 - me->core_size = ALIGN(me->core_size, 16);
1771 - me->arch.fdesc_offset = me->core_size;
1772 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1773 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1774 + me->arch.got_offset = me->core_size_rw;
1775 + me->core_size_rw += gots * sizeof(struct got_entry);
1777 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1778 + me->arch.fdesc_offset = me->core_size_rw;
1779 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1781 me->arch.got_max = gots;
1782 me->arch.fdesc_max = fdescs;
1783 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1787 - got = me->module_core + me->arch.got_offset;
1788 + got = me->module_core_rw + me->arch.got_offset;
1789 for (i = 0; got[i].addr; i++)
1790 if (got[i].addr == value)
1792 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1794 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1796 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1797 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1800 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1801 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1803 /* Create new one */
1804 fdesc->addr = value;
1805 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1806 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1807 return (Elf_Addr)fdesc;
1809 #endif /* CONFIG_64BIT */
1810 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1812 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1813 end = table + sechdrs[me->arch.unwind_section].sh_size;
1814 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1815 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1817 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1818 me->arch.unwind_section, table, end, gp);
1819 diff -urNp linux-2.6.32.43/arch/parisc/kernel/sys_parisc.c linux-2.6.32.43/arch/parisc/kernel/sys_parisc.c
1820 --- linux-2.6.32.43/arch/parisc/kernel/sys_parisc.c 2011-03-27 14:31:47.000000000 -0400
1821 +++ linux-2.6.32.43/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:56:45.000000000 -0400
1822 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1823 /* At this point: (!vma || addr < vma->vm_end). */
1824 if (TASK_SIZE - len < addr)
1826 - if (!vma || addr + len <= vma->vm_start)
1827 + if (check_heap_stack_gap(vma, addr, len))
1831 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1832 /* At this point: (!vma || addr < vma->vm_end). */
1833 if (TASK_SIZE - len < addr)
1835 - if (!vma || addr + len <= vma->vm_start)
1836 + if (check_heap_stack_gap(vma, addr, len))
1838 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1839 if (addr < vma->vm_end) /* handle wraparound */
1840 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1841 if (flags & MAP_FIXED)
1844 - addr = TASK_UNMAPPED_BASE;
1845 + addr = current->mm->mmap_base;
1848 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1849 diff -urNp linux-2.6.32.43/arch/parisc/kernel/traps.c linux-2.6.32.43/arch/parisc/kernel/traps.c
1850 --- linux-2.6.32.43/arch/parisc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
1851 +++ linux-2.6.32.43/arch/parisc/kernel/traps.c 2011-04-17 15:56:45.000000000 -0400
1852 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1854 down_read(¤t->mm->mmap_sem);
1855 vma = find_vma(current->mm,regs->iaoq[0]);
1856 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1857 - && (vma->vm_flags & VM_EXEC)) {
1859 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1860 fault_address = regs->iaoq[0];
1861 fault_space = regs->iasq[0];
1863 diff -urNp linux-2.6.32.43/arch/parisc/mm/fault.c linux-2.6.32.43/arch/parisc/mm/fault.c
1864 --- linux-2.6.32.43/arch/parisc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1865 +++ linux-2.6.32.43/arch/parisc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1867 #include <linux/sched.h>
1868 #include <linux/interrupt.h>
1869 #include <linux/module.h>
1870 +#include <linux/unistd.h>
1872 #include <asm/uaccess.h>
1873 #include <asm/traps.h>
1874 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1875 static unsigned long
1876 parisc_acctyp(unsigned long code, unsigned int inst)
1878 - if (code == 6 || code == 16)
1879 + if (code == 6 || code == 7 || code == 16)
1882 switch (inst & 0xf0000000) {
1883 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1887 +#ifdef CONFIG_PAX_PAGEEXEC
1889 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1891 + * returns 1 when task should be killed
1892 + * 2 when rt_sigreturn trampoline was detected
1893 + * 3 when unpatched PLT trampoline was detected
1895 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1898 +#ifdef CONFIG_PAX_EMUPLT
1901 + do { /* PaX: unpatched PLT emulation */
1902 + unsigned int bl, depwi;
1904 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1905 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1910 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1911 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1913 + err = get_user(ldw, (unsigned int *)addr);
1914 + err |= get_user(bv, (unsigned int *)(addr+4));
1915 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1920 + if (ldw == 0x0E801096U &&
1921 + bv == 0xEAC0C000U &&
1922 + ldw2 == 0x0E881095U)
1924 + unsigned int resolver, map;
1926 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1927 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1931 + regs->gr[20] = instruction_pointer(regs)+8;
1932 + regs->gr[21] = map;
1933 + regs->gr[22] = resolver;
1934 + regs->iaoq[0] = resolver | 3UL;
1935 + regs->iaoq[1] = regs->iaoq[0] + 4;
1942 +#ifdef CONFIG_PAX_EMUTRAMP
1944 +#ifndef CONFIG_PAX_EMUSIGRT
1945 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1949 + do { /* PaX: rt_sigreturn emulation */
1950 + unsigned int ldi1, ldi2, bel, nop;
1952 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1953 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1954 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1955 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1960 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1961 + ldi2 == 0x3414015AU &&
1962 + bel == 0xE4008200U &&
1963 + nop == 0x08000240U)
1965 + regs->gr[25] = (ldi1 & 2) >> 1;
1966 + regs->gr[20] = __NR_rt_sigreturn;
1967 + regs->gr[31] = regs->iaoq[1] + 16;
1968 + regs->sr[0] = regs->iasq[1];
1969 + regs->iaoq[0] = 0x100UL;
1970 + regs->iaoq[1] = regs->iaoq[0] + 4;
1971 + regs->iasq[0] = regs->sr[2];
1972 + regs->iasq[1] = regs->sr[2];
1981 +void pax_report_insns(void *pc, void *sp)
1985 + printk(KERN_ERR "PAX: bytes at PC: ");
1986 + for (i = 0; i < 5; i++) {
1988 + if (get_user(c, (unsigned int *)pc+i))
1989 + printk(KERN_CONT "???????? ");
1991 + printk(KERN_CONT "%08x ", c);
1997 int fixup_exception(struct pt_regs *regs)
1999 const struct exception_table_entry *fix;
2000 @@ -192,8 +303,33 @@ good_area:
2002 acc_type = parisc_acctyp(code,regs->iir);
2004 - if ((vma->vm_flags & acc_type) != acc_type)
2005 + if ((vma->vm_flags & acc_type) != acc_type) {
2007 +#ifdef CONFIG_PAX_PAGEEXEC
2008 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2009 + (address & ~3UL) == instruction_pointer(regs))
2011 + up_read(&mm->mmap_sem);
2012 + switch (pax_handle_fetch_fault(regs)) {
2014 +#ifdef CONFIG_PAX_EMUPLT
2019 +#ifdef CONFIG_PAX_EMUTRAMP
2025 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2026 + do_group_exit(SIGKILL);
2034 * If for any reason at all we couldn't handle the fault, make
2035 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/device.h linux-2.6.32.43/arch/powerpc/include/asm/device.h
2036 --- linux-2.6.32.43/arch/powerpc/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
2037 +++ linux-2.6.32.43/arch/powerpc/include/asm/device.h 2011-04-17 15:56:45.000000000 -0400
2038 @@ -14,7 +14,7 @@ struct dev_archdata {
2039 struct device_node *of_node;
2041 /* DMA operations on that device */
2042 - struct dma_map_ops *dma_ops;
2043 + const struct dma_map_ops *dma_ops;
2046 * When an iommu is in use, dma_data is used as a ptr to the base of the
2047 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.43/arch/powerpc/include/asm/dma-mapping.h
2048 --- linux-2.6.32.43/arch/powerpc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
2049 +++ linux-2.6.32.43/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
2050 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2052 extern struct dma_map_ops dma_iommu_ops;
2054 -extern struct dma_map_ops dma_direct_ops;
2055 +extern const struct dma_map_ops dma_direct_ops;
2057 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2058 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2060 /* We don't handle the NULL dev case for ISA for now. We could
2061 * do it via an out of line call but it is not needed for now. The
2062 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2063 return dev->archdata.dma_ops;
2066 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2067 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2069 dev->archdata.dma_ops = ops;
2071 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2073 static inline int dma_supported(struct device *dev, u64 mask)
2075 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2076 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2078 if (unlikely(dma_ops == NULL))
2080 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2082 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2084 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2085 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2087 if (unlikely(dma_ops == NULL))
2089 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2090 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2091 dma_addr_t *dma_handle, gfp_t flag)
2093 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2094 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2098 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2099 static inline void dma_free_coherent(struct device *dev, size_t size,
2100 void *cpu_addr, dma_addr_t dma_handle)
2102 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2103 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2107 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2109 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2111 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2112 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2114 if (dma_ops->mapping_error)
2115 return dma_ops->mapping_error(dev, dma_addr);
2116 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/elf.h linux-2.6.32.43/arch/powerpc/include/asm/elf.h
2117 --- linux-2.6.32.43/arch/powerpc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2118 +++ linux-2.6.32.43/arch/powerpc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2119 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2120 the loader. We need to make sure that it is out of the way of the program
2121 that it will "exec", and that there is sufficient room for the brk. */
2123 -extern unsigned long randomize_et_dyn(unsigned long base);
2124 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2125 +#define ELF_ET_DYN_BASE (0x20000000)
2127 +#ifdef CONFIG_PAX_ASLR
2128 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2130 +#ifdef __powerpc64__
2131 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2132 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2134 +#define PAX_DELTA_MMAP_LEN 15
2135 +#define PAX_DELTA_STACK_LEN 15
2140 * Our registers are always unsigned longs, whether we're a 32 bit
2141 @@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2142 (0x7ff >> (PAGE_SHIFT - 12)) : \
2143 (0x3ffff >> (PAGE_SHIFT - 12)))
2145 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2146 -#define arch_randomize_brk arch_randomize_brk
2148 #endif /* __KERNEL__ */
2151 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/iommu.h linux-2.6.32.43/arch/powerpc/include/asm/iommu.h
2152 --- linux-2.6.32.43/arch/powerpc/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
2153 +++ linux-2.6.32.43/arch/powerpc/include/asm/iommu.h 2011-04-17 15:56:45.000000000 -0400
2154 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2155 extern void iommu_init_early_dart(void);
2156 extern void iommu_init_early_pasemi(void);
2159 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2162 extern void pci_iommu_init(void);
2163 extern void pci_direct_iommu_init(void);
2164 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.43/arch/powerpc/include/asm/kmap_types.h
2165 --- linux-2.6.32.43/arch/powerpc/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
2166 +++ linux-2.6.32.43/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
2167 @@ -26,6 +26,7 @@ enum km_type {
2175 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/page_64.h linux-2.6.32.43/arch/powerpc/include/asm/page_64.h
2176 --- linux-2.6.32.43/arch/powerpc/include/asm/page_64.h 2011-03-27 14:31:47.000000000 -0400
2177 +++ linux-2.6.32.43/arch/powerpc/include/asm/page_64.h 2011-04-17 15:56:45.000000000 -0400
2178 @@ -180,15 +180,18 @@ do { \
2179 * stack by default, so in the absense of a PT_GNU_STACK program header
2180 * we turn execute permission off.
2182 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2183 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2184 +#define VM_STACK_DEFAULT_FLAGS32 \
2185 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2186 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2188 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2189 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2191 +#ifndef CONFIG_PAX_PAGEEXEC
2192 #define VM_STACK_DEFAULT_FLAGS \
2193 (test_thread_flag(TIF_32BIT) ? \
2194 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2197 #include <asm-generic/getorder.h>
2199 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/page.h linux-2.6.32.43/arch/powerpc/include/asm/page.h
2200 --- linux-2.6.32.43/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2201 +++ linux-2.6.32.43/arch/powerpc/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
2202 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2203 * and needs to be executable. This means the whole heap ends
2204 * up being executable.
2206 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2207 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2208 +#define VM_DATA_DEFAULT_FLAGS32 \
2209 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2210 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2212 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2213 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2214 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2215 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2218 +#define ktla_ktva(addr) (addr)
2219 +#define ktva_ktla(addr) (addr)
2221 #ifndef __ASSEMBLY__
2223 #undef STRICT_MM_TYPECHECKS
2224 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/pci.h linux-2.6.32.43/arch/powerpc/include/asm/pci.h
2225 --- linux-2.6.32.43/arch/powerpc/include/asm/pci.h 2011-03-27 14:31:47.000000000 -0400
2226 +++ linux-2.6.32.43/arch/powerpc/include/asm/pci.h 2011-04-17 15:56:45.000000000 -0400
2227 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2231 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2232 -extern struct dma_map_ops *get_pci_dma_ops(void);
2233 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2234 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2235 #else /* CONFIG_PCI */
2236 #define set_pci_dma_ops(d)
2237 #define get_pci_dma_ops() NULL
2238 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/pgtable.h linux-2.6.32.43/arch/powerpc/include/asm/pgtable.h
2239 --- linux-2.6.32.43/arch/powerpc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2240 +++ linux-2.6.32.43/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2242 #define _ASM_POWERPC_PGTABLE_H
2245 +#include <linux/const.h>
2246 #ifndef __ASSEMBLY__
2247 #include <asm/processor.h> /* For TASK_SIZE */
2248 #include <asm/mmu.h>
2249 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.43/arch/powerpc/include/asm/pte-hash32.h
2250 --- linux-2.6.32.43/arch/powerpc/include/asm/pte-hash32.h 2011-03-27 14:31:47.000000000 -0400
2251 +++ linux-2.6.32.43/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:56:45.000000000 -0400
2253 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2254 #define _PAGE_USER 0x004 /* usermode access allowed */
2255 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2256 +#define _PAGE_EXEC _PAGE_GUARDED
2257 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2258 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2259 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2260 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/reg.h linux-2.6.32.43/arch/powerpc/include/asm/reg.h
2261 --- linux-2.6.32.43/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400
2262 +++ linux-2.6.32.43/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400
2264 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2265 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2266 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2267 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2268 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2269 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2270 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2271 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.43/arch/powerpc/include/asm/swiotlb.h
2272 --- linux-2.6.32.43/arch/powerpc/include/asm/swiotlb.h 2011-03-27 14:31:47.000000000 -0400
2273 +++ linux-2.6.32.43/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:56:45.000000000 -0400
2276 #include <linux/swiotlb.h>
2278 -extern struct dma_map_ops swiotlb_dma_ops;
2279 +extern const struct dma_map_ops swiotlb_dma_ops;
2281 static inline void dma_mark_clean(void *addr, size_t size) {}
2283 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/system.h linux-2.6.32.43/arch/powerpc/include/asm/system.h
2284 --- linux-2.6.32.43/arch/powerpc/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
2285 +++ linux-2.6.32.43/arch/powerpc/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
2286 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2287 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2290 -extern unsigned long arch_align_stack(unsigned long sp);
2291 +#define arch_align_stack(x) ((x) & ~0xfUL)
2293 /* Used in very early kernel initialization. */
2294 extern unsigned long reloc_offset(void);
2295 diff -urNp linux-2.6.32.43/arch/powerpc/include/asm/uaccess.h linux-2.6.32.43/arch/powerpc/include/asm/uaccess.h
2296 --- linux-2.6.32.43/arch/powerpc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
2297 +++ linux-2.6.32.43/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
2299 #define VERIFY_READ 0
2300 #define VERIFY_WRITE 1
2302 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2305 * The fs value determines whether argument validity checking should be
2306 * performed or not. If get_fs() == USER_DS, checking is performed, with
2307 @@ -327,52 +329,6 @@ do { \
2308 extern unsigned long __copy_tofrom_user(void __user *to,
2309 const void __user *from, unsigned long size);
2311 -#ifndef __powerpc64__
2313 -static inline unsigned long copy_from_user(void *to,
2314 - const void __user *from, unsigned long n)
2316 - unsigned long over;
2318 - if (access_ok(VERIFY_READ, from, n))
2319 - return __copy_tofrom_user((__force void __user *)to, from, n);
2320 - if ((unsigned long)from < TASK_SIZE) {
2321 - over = (unsigned long)from + n - TASK_SIZE;
2322 - return __copy_tofrom_user((__force void __user *)to, from,
2328 -static inline unsigned long copy_to_user(void __user *to,
2329 - const void *from, unsigned long n)
2331 - unsigned long over;
2333 - if (access_ok(VERIFY_WRITE, to, n))
2334 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2335 - if ((unsigned long)to < TASK_SIZE) {
2336 - over = (unsigned long)to + n - TASK_SIZE;
2337 - return __copy_tofrom_user(to, (__force void __user *)from,
2343 -#else /* __powerpc64__ */
2345 -#define __copy_in_user(to, from, size) \
2346 - __copy_tofrom_user((to), (from), (size))
2348 -extern unsigned long copy_from_user(void *to, const void __user *from,
2350 -extern unsigned long copy_to_user(void __user *to, const void *from,
2352 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2355 -#endif /* __powerpc64__ */
2357 static inline unsigned long __copy_from_user_inatomic(void *to,
2358 const void __user *from, unsigned long n)
2360 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2365 + if (!__builtin_constant_p(n))
2366 + check_object_size(to, n, false);
2368 return __copy_tofrom_user((__force void __user *)to, from, n);
2371 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2376 + if (!__builtin_constant_p(n))
2377 + check_object_size(from, n, true);
2379 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2382 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2383 return __copy_to_user_inatomic(to, from, size);
2386 +#ifndef __powerpc64__
2388 +static inline unsigned long __must_check copy_from_user(void *to,
2389 + const void __user *from, unsigned long n)
2391 + unsigned long over;
2396 + if (access_ok(VERIFY_READ, from, n)) {
2397 + if (!__builtin_constant_p(n))
2398 + check_object_size(to, n, false);
2399 + return __copy_tofrom_user((__force void __user *)to, from, n);
2401 + if ((unsigned long)from < TASK_SIZE) {
2402 + over = (unsigned long)from + n - TASK_SIZE;
2403 + if (!__builtin_constant_p(n - over))
2404 + check_object_size(to, n - over, false);
2405 + return __copy_tofrom_user((__force void __user *)to, from,
2411 +static inline unsigned long __must_check copy_to_user(void __user *to,
2412 + const void *from, unsigned long n)
2414 + unsigned long over;
2419 + if (access_ok(VERIFY_WRITE, to, n)) {
2420 + if (!__builtin_constant_p(n))
2421 + check_object_size(from, n, true);
2422 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2424 + if ((unsigned long)to < TASK_SIZE) {
2425 + over = (unsigned long)to + n - TASK_SIZE;
2426 + if (!__builtin_constant_p(n))
2427 + check_object_size(from, n - over, true);
2428 + return __copy_tofrom_user(to, (__force void __user *)from,
2434 +#else /* __powerpc64__ */
2436 +#define __copy_in_user(to, from, size) \
2437 + __copy_tofrom_user((to), (from), (size))
2439 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2441 + if ((long)n < 0 || n > INT_MAX)
2444 + if (!__builtin_constant_p(n))
2445 + check_object_size(to, n, false);
2447 + if (likely(access_ok(VERIFY_READ, from, n)))
2448 + n = __copy_from_user(to, from, n);
2454 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2456 + if ((long)n < 0 || n > INT_MAX)
2459 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2460 + if (!__builtin_constant_p(n))
2461 + check_object_size(from, n, true);
2462 + n = __copy_to_user(to, from, n);
2467 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2470 +#endif /* __powerpc64__ */
2472 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2474 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2475 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.43/arch/powerpc/kernel/cacheinfo.c
2476 --- linux-2.6.32.43/arch/powerpc/kernel/cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
2477 +++ linux-2.6.32.43/arch/powerpc/kernel/cacheinfo.c 2011-04-17 15:56:45.000000000 -0400
2478 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2482 -static struct sysfs_ops cache_index_ops = {
2483 +static const struct sysfs_ops cache_index_ops = {
2484 .show = cache_index_show,
2487 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/dma.c linux-2.6.32.43/arch/powerpc/kernel/dma.c
2488 --- linux-2.6.32.43/arch/powerpc/kernel/dma.c 2011-03-27 14:31:47.000000000 -0400
2489 +++ linux-2.6.32.43/arch/powerpc/kernel/dma.c 2011-04-17 15:56:45.000000000 -0400
2490 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2494 -struct dma_map_ops dma_direct_ops = {
2495 +const struct dma_map_ops dma_direct_ops = {
2496 .alloc_coherent = dma_direct_alloc_coherent,
2497 .free_coherent = dma_direct_free_coherent,
2498 .map_sg = dma_direct_map_sg,
2499 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.43/arch/powerpc/kernel/dma-iommu.c
2500 --- linux-2.6.32.43/arch/powerpc/kernel/dma-iommu.c 2011-03-27 14:31:47.000000000 -0400
2501 +++ linux-2.6.32.43/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:56:45.000000000 -0400
2502 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2505 /* We support DMA to/from any memory page via the iommu */
2506 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2507 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2509 struct iommu_table *tbl = get_iommu_table_base(dev);
2511 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.43/arch/powerpc/kernel/dma-swiotlb.c
2512 --- linux-2.6.32.43/arch/powerpc/kernel/dma-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
2513 +++ linux-2.6.32.43/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
2514 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2515 * map_page, and unmap_page on highmem, use normal dma_ops
2516 * for everything else.
2518 -struct dma_map_ops swiotlb_dma_ops = {
2519 +const struct dma_map_ops swiotlb_dma_ops = {
2520 .alloc_coherent = dma_direct_alloc_coherent,
2521 .free_coherent = dma_direct_free_coherent,
2522 .map_sg = swiotlb_map_sg_attrs,
2523 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.43/arch/powerpc/kernel/exceptions-64e.S
2524 --- linux-2.6.32.43/arch/powerpc/kernel/exceptions-64e.S 2011-03-27 14:31:47.000000000 -0400
2525 +++ linux-2.6.32.43/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:56:45.000000000 -0400
2526 @@ -455,6 +455,7 @@ storage_fault_common:
2529 addi r3,r1,STACK_FRAME_OVERHEAD
2533 ld r14,PACA_EXGEN+EX_R14(r13)
2534 @@ -464,8 +465,7 @@ storage_fault_common:
2537 b .ret_from_except_lite
2541 addi r3,r1,STACK_FRAME_OVERHEAD
2544 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.43/arch/powerpc/kernel/exceptions-64s.S
2545 --- linux-2.6.32.43/arch/powerpc/kernel/exceptions-64s.S 2011-03-27 14:31:47.000000000 -0400
2546 +++ linux-2.6.32.43/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:56:45.000000000 -0400
2547 @@ -818,10 +818,10 @@ handle_page_fault:
2550 addi r3,r1,STACK_FRAME_OVERHEAD
2557 addi r3,r1,STACK_FRAME_OVERHEAD
2559 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/ibmebus.c linux-2.6.32.43/arch/powerpc/kernel/ibmebus.c
2560 --- linux-2.6.32.43/arch/powerpc/kernel/ibmebus.c 2011-03-27 14:31:47.000000000 -0400
2561 +++ linux-2.6.32.43/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:56:45.000000000 -0400
2562 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2566 -static struct dma_map_ops ibmebus_dma_ops = {
2567 +static const struct dma_map_ops ibmebus_dma_ops = {
2568 .alloc_coherent = ibmebus_alloc_coherent,
2569 .free_coherent = ibmebus_free_coherent,
2570 .map_sg = ibmebus_map_sg,
2571 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/kgdb.c linux-2.6.32.43/arch/powerpc/kernel/kgdb.c
2572 --- linux-2.6.32.43/arch/powerpc/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
2573 +++ linux-2.6.32.43/arch/powerpc/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
2574 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2575 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2578 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2579 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2583 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2587 -struct kgdb_arch arch_kgdb_ops = {
2588 +const struct kgdb_arch arch_kgdb_ops = {
2589 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2592 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/module_32.c linux-2.6.32.43/arch/powerpc/kernel/module_32.c
2593 --- linux-2.6.32.43/arch/powerpc/kernel/module_32.c 2011-03-27 14:31:47.000000000 -0400
2594 +++ linux-2.6.32.43/arch/powerpc/kernel/module_32.c 2011-04-17 15:56:45.000000000 -0400
2595 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2596 me->arch.core_plt_section = i;
2598 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2599 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2600 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2604 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2606 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2607 /* Init, or core PLT? */
2608 - if (location >= mod->module_core
2609 - && location < mod->module_core + mod->core_size)
2610 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2611 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2612 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2614 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2615 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2616 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2618 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2622 /* Find this entry, or if that fails, the next avail. entry */
2623 while (entry->jump[0]) {
2624 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/module.c linux-2.6.32.43/arch/powerpc/kernel/module.c
2625 --- linux-2.6.32.43/arch/powerpc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
2626 +++ linux-2.6.32.43/arch/powerpc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
2629 LIST_HEAD(module_bug_list);
2631 +#ifdef CONFIG_PAX_KERNEXEC
2632 void *module_alloc(unsigned long size)
2637 + return vmalloc(size);
2640 +void *module_alloc_exec(unsigned long size)
2642 +void *module_alloc(unsigned long size)
2649 return vmalloc_exec(size);
2652 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2653 vfree(module_region);
2656 +#ifdef CONFIG_PAX_KERNEXEC
2657 +void module_free_exec(struct module *mod, void *module_region)
2659 + module_free(mod, module_region);
2663 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2664 const Elf_Shdr *sechdrs,
2666 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/pci-common.c linux-2.6.32.43/arch/powerpc/kernel/pci-common.c
2667 --- linux-2.6.32.43/arch/powerpc/kernel/pci-common.c 2011-03-27 14:31:47.000000000 -0400
2668 +++ linux-2.6.32.43/arch/powerpc/kernel/pci-common.c 2011-04-17 15:56:45.000000000 -0400
2669 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2670 unsigned int ppc_pci_flags = 0;
2673 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2674 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2676 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2677 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2679 pci_dma_ops = dma_ops;
2682 -struct dma_map_ops *get_pci_dma_ops(void)
2683 +const struct dma_map_ops *get_pci_dma_ops(void)
2687 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/process.c linux-2.6.32.43/arch/powerpc/kernel/process.c
2688 --- linux-2.6.32.43/arch/powerpc/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
2689 +++ linux-2.6.32.43/arch/powerpc/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
2690 @@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2691 * Lookup NIP late so we have the best change of getting the
2692 * above info out without failing
2694 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2695 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2696 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2697 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2699 show_stack(current, (unsigned long *) regs->gpr[1]);
2700 if (!user_mode(regs))
2701 @@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2703 ip = stack[STACK_FRAME_LR_SAVE];
2704 if (!firstframe || ip != lr) {
2705 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2706 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2707 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2708 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2711 (void *)current->ret_stack[curr_frame].ret);
2714 @@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2715 struct pt_regs *regs = (struct pt_regs *)
2716 (sp + STACK_FRAME_OVERHEAD);
2718 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2719 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2720 regs->trap, (void *)regs->nip, (void *)lr);
2723 @@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2726 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2728 -unsigned long arch_align_stack(unsigned long sp)
2730 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2731 - sp -= get_random_int() & ~PAGE_MASK;
2735 -static inline unsigned long brk_rnd(void)
2737 - unsigned long rnd = 0;
2739 - /* 8MB for 32bit, 1GB for 64bit */
2740 - if (is_32bit_task())
2741 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2743 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2745 - return rnd << PAGE_SHIFT;
2748 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2750 - unsigned long base = mm->brk;
2751 - unsigned long ret;
2753 -#ifdef CONFIG_PPC_STD_MMU_64
2755 - * If we are using 1TB segments and we are allowed to randomise
2756 - * the heap, we can put it above 1TB so it is backed by a 1TB
2757 - * segment. Otherwise the heap will be in the bottom 1TB
2758 - * which always uses 256MB segments and this may result in a
2759 - * performance penalty.
2761 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2762 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2765 - ret = PAGE_ALIGN(base + brk_rnd());
2767 - if (ret < mm->brk)
2773 -unsigned long randomize_et_dyn(unsigned long base)
2775 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2782 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/signal_32.c linux-2.6.32.43/arch/powerpc/kernel/signal_32.c
2783 --- linux-2.6.32.43/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400
2784 +++ linux-2.6.32.43/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400
2785 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2786 /* Save user registers on the stack */
2787 frame = &rt_sf->uc.uc_mcontext;
2789 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2790 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2791 if (save_user_regs(regs, frame, 0, 1))
2793 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2794 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/signal_64.c linux-2.6.32.43/arch/powerpc/kernel/signal_64.c
2795 --- linux-2.6.32.43/arch/powerpc/kernel/signal_64.c 2011-03-27 14:31:47.000000000 -0400
2796 +++ linux-2.6.32.43/arch/powerpc/kernel/signal_64.c 2011-04-17 15:56:45.000000000 -0400
2797 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2798 current->thread.fpscr.val = 0;
2800 /* Set up to return from userspace. */
2801 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2802 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2803 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2805 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2806 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.43/arch/powerpc/kernel/sys_ppc32.c
2807 --- linux-2.6.32.43/arch/powerpc/kernel/sys_ppc32.c 2011-03-27 14:31:47.000000000 -0400
2808 +++ linux-2.6.32.43/arch/powerpc/kernel/sys_ppc32.c 2011-04-17 15:56:45.000000000 -0400
2809 @@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2812 if (get_user(oldlen, oldlenp) ||
2813 - put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2814 + put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2815 + copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2818 - copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2822 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/traps.c linux-2.6.32.43/arch/powerpc/kernel/traps.c
2823 --- linux-2.6.32.43/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
2824 +++ linux-2.6.32.43/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400
2825 @@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2826 static inline void pmac_backlight_unblank(void) { }
2829 +extern void gr_handle_kernel_exploit(void);
2831 int die(const char *str, struct pt_regs *regs, long err)
2834 @@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2836 panic("Fatal exception");
2838 + gr_handle_kernel_exploit();
2843 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/vdso.c linux-2.6.32.43/arch/powerpc/kernel/vdso.c
2844 --- linux-2.6.32.43/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400
2845 +++ linux-2.6.32.43/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400
2847 #include <asm/firmware.h>
2848 #include <asm/vdso.h>
2849 #include <asm/vdso_datapage.h>
2850 +#include <asm/mman.h>
2854 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2855 vdso_base = VDSO32_MBASE;
2858 - current->mm->context.vdso_base = 0;
2859 + current->mm->context.vdso_base = ~0UL;
2861 /* vDSO has a problem and was disabled, just don't "enable" it for the
2863 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2864 vdso_base = get_unmapped_area(NULL, vdso_base,
2865 (vdso_pages << PAGE_SHIFT) +
2866 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2868 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2869 if (IS_ERR_VALUE(vdso_base)) {
2872 diff -urNp linux-2.6.32.43/arch/powerpc/kernel/vio.c linux-2.6.32.43/arch/powerpc/kernel/vio.c
2873 --- linux-2.6.32.43/arch/powerpc/kernel/vio.c 2011-03-27 14:31:47.000000000 -0400
2874 +++ linux-2.6.32.43/arch/powerpc/kernel/vio.c 2011-04-17 15:56:45.000000000 -0400
2875 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2876 vio_cmo_dealloc(viodev, alloc_size);
2879 -struct dma_map_ops vio_dma_mapping_ops = {
2880 +static const struct dma_map_ops vio_dma_mapping_ops = {
2881 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2882 .free_coherent = vio_dma_iommu_free_coherent,
2883 .map_sg = vio_dma_iommu_map_sg,
2884 .unmap_sg = vio_dma_iommu_unmap_sg,
2885 + .dma_supported = dma_iommu_dma_supported,
2886 .map_page = vio_dma_iommu_map_page,
2887 .unmap_page = vio_dma_iommu_unmap_page,
2889 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2891 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2893 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2894 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2897 diff -urNp linux-2.6.32.43/arch/powerpc/lib/usercopy_64.c linux-2.6.32.43/arch/powerpc/lib/usercopy_64.c
2898 --- linux-2.6.32.43/arch/powerpc/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
2899 +++ linux-2.6.32.43/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:56:45.000000000 -0400
2901 #include <linux/module.h>
2902 #include <asm/uaccess.h>
2904 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2906 - if (likely(access_ok(VERIFY_READ, from, n)))
2907 - n = __copy_from_user(to, from, n);
2913 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2915 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2916 - n = __copy_to_user(to, from, n);
2920 unsigned long copy_in_user(void __user *to, const void __user *from,
2923 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2927 -EXPORT_SYMBOL(copy_from_user);
2928 -EXPORT_SYMBOL(copy_to_user);
2929 EXPORT_SYMBOL(copy_in_user);
2931 diff -urNp linux-2.6.32.43/arch/powerpc/mm/fault.c linux-2.6.32.43/arch/powerpc/mm/fault.c
2932 --- linux-2.6.32.43/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2933 +++ linux-2.6.32.43/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2935 #include <linux/kprobes.h>
2936 #include <linux/kdebug.h>
2937 #include <linux/perf_event.h>
2938 +#include <linux/slab.h>
2939 +#include <linux/pagemap.h>
2940 +#include <linux/compiler.h>
2941 +#include <linux/unistd.h>
2943 #include <asm/firmware.h>
2944 #include <asm/page.h>
2946 #include <asm/uaccess.h>
2947 #include <asm/tlbflush.h>
2948 #include <asm/siginfo.h>
2949 +#include <asm/ptrace.h>
2952 #ifdef CONFIG_KPROBES
2953 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2957 +#ifdef CONFIG_PAX_PAGEEXEC
2959 + * PaX: decide what to do with offenders (regs->nip = fault address)
2961 + * returns 1 when task should be killed
2963 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2968 +void pax_report_insns(void *pc, void *sp)
2972 + printk(KERN_ERR "PAX: bytes at PC: ");
2973 + for (i = 0; i < 5; i++) {
2975 + if (get_user(c, (unsigned int __user *)pc+i))
2976 + printk(KERN_CONT "???????? ");
2978 + printk(KERN_CONT "%08x ", c);
2985 * Check whether the instruction at regs->nip is a store using
2986 * an update addressing form which will update r1.
2987 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2988 * indicate errors in DSISR but can validly be set in SRR1.
2991 - error_code &= 0x48200000;
2992 + error_code &= 0x58200000;
2994 is_write = error_code & DSISR_ISSTORE;
2996 @@ -250,7 +282,7 @@ good_area:
2997 * "undefined". Of those that can be set, this is the only
2998 * one which seems bad.
3000 - if (error_code & 0x10000000)
3001 + if (error_code & DSISR_GUARDED)
3002 /* Guarded storage error. */
3004 #endif /* CONFIG_8xx */
3005 @@ -265,7 +297,7 @@ good_area:
3006 * processors use the same I/D cache coherency mechanism
3009 - if (error_code & DSISR_PROTFAULT)
3010 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3012 #endif /* CONFIG_PPC_STD_MMU */
3014 @@ -335,6 +367,23 @@ bad_area:
3015 bad_area_nosemaphore:
3016 /* User mode accesses cause a SIGSEGV */
3017 if (user_mode(regs)) {
3019 +#ifdef CONFIG_PAX_PAGEEXEC
3020 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3021 +#ifdef CONFIG_PPC_STD_MMU
3022 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3024 + if (is_exec && regs->nip == address) {
3026 + switch (pax_handle_fetch_fault(regs)) {
3029 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3030 + do_group_exit(SIGKILL);
3035 _exception(SIGSEGV, regs, code, address);
3038 diff -urNp linux-2.6.32.43/arch/powerpc/mm/mmap_64.c linux-2.6.32.43/arch/powerpc/mm/mmap_64.c
3039 --- linux-2.6.32.43/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400
3040 +++ linux-2.6.32.43/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400
3041 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3043 if (mmap_is_legacy()) {
3044 mm->mmap_base = TASK_UNMAPPED_BASE;
3046 +#ifdef CONFIG_PAX_RANDMMAP
3047 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3048 + mm->mmap_base += mm->delta_mmap;
3051 mm->get_unmapped_area = arch_get_unmapped_area;
3052 mm->unmap_area = arch_unmap_area;
3054 mm->mmap_base = mmap_base();
3056 +#ifdef CONFIG_PAX_RANDMMAP
3057 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3058 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3061 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3062 mm->unmap_area = arch_unmap_area_topdown;
3064 diff -urNp linux-2.6.32.43/arch/powerpc/mm/slice.c linux-2.6.32.43/arch/powerpc/mm/slice.c
3065 --- linux-2.6.32.43/arch/powerpc/mm/slice.c 2011-03-27 14:31:47.000000000 -0400
3066 +++ linux-2.6.32.43/arch/powerpc/mm/slice.c 2011-04-17 15:56:45.000000000 -0400
3067 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3068 if ((mm->task_size - len) < addr)
3070 vma = find_vma(mm, addr);
3071 - return (!vma || (addr + len) <= vma->vm_start);
3072 + return check_heap_stack_gap(vma, addr, len);
3075 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3076 @@ -256,7 +256,7 @@ full_search:
3077 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3080 - if (!vma || addr + len <= vma->vm_start) {
3081 + if (check_heap_stack_gap(vma, addr, len)) {
3083 * Remember the place where we stopped the search:
3085 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3089 - addr = mm->mmap_base;
3090 - while (addr > len) {
3091 + if (mm->mmap_base < len)
3094 + addr = mm->mmap_base - len;
3096 + while (!IS_ERR_VALUE(addr)) {
3097 /* Go down by chunk size */
3098 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3099 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3101 /* Check for hit with different page size */
3102 mask = slice_range_to_mask(addr, len);
3103 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3104 * return with success:
3106 vma = find_vma(mm, addr);
3107 - if (!vma || (addr + len) <= vma->vm_start) {
3108 + if (check_heap_stack_gap(vma, addr, len)) {
3109 /* remember the address as a hint for next time */
3111 mm->free_area_cache = addr;
3112 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3113 mm->cached_hole_size = vma->vm_start - addr;
3115 /* try just below the current vma->vm_start */
3116 - addr = vma->vm_start;
3117 + addr = skip_heap_stack_gap(vma, len);
3121 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3122 if (fixed && addr > (mm->task_size - len))
3125 +#ifdef CONFIG_PAX_RANDMMAP
3126 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3130 /* If hint, make sure it matches our alignment restrictions */
3131 if (!fixed && addr) {
3132 addr = _ALIGN_UP(addr, 1ul << pshift);
3133 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.43/arch/powerpc/platforms/52xx/lite5200_pm.c
3134 --- linux-2.6.32.43/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-03-27 14:31:47.000000000 -0400
3135 +++ linux-2.6.32.43/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-04-17 15:56:45.000000000 -0400
3136 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3137 lite5200_pm_target_state = PM_SUSPEND_ON;
3140 -static struct platform_suspend_ops lite5200_pm_ops = {
3141 +static const struct platform_suspend_ops lite5200_pm_ops = {
3142 .valid = lite5200_pm_valid,
3143 .begin = lite5200_pm_begin,
3144 .prepare = lite5200_pm_prepare,
3145 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.43/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3146 --- linux-2.6.32.43/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-03-27 14:31:47.000000000 -0400
3147 +++ linux-2.6.32.43/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-04-17 15:56:45.000000000 -0400
3148 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3152 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3153 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3154 .valid = mpc52xx_pm_valid,
3155 .prepare = mpc52xx_pm_prepare,
3156 .enter = mpc52xx_pm_enter,
3157 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.43/arch/powerpc/platforms/83xx/suspend.c
3158 --- linux-2.6.32.43/arch/powerpc/platforms/83xx/suspend.c 2011-03-27 14:31:47.000000000 -0400
3159 +++ linux-2.6.32.43/arch/powerpc/platforms/83xx/suspend.c 2011-04-17 15:56:45.000000000 -0400
3160 @@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3164 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3165 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3166 .valid = mpc83xx_suspend_valid,
3167 .begin = mpc83xx_suspend_begin,
3168 .enter = mpc83xx_suspend_enter,
3169 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.43/arch/powerpc/platforms/cell/iommu.c
3170 --- linux-2.6.32.43/arch/powerpc/platforms/cell/iommu.c 2011-03-27 14:31:47.000000000 -0400
3171 +++ linux-2.6.32.43/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:56:45.000000000 -0400
3172 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3174 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3176 -struct dma_map_ops dma_iommu_fixed_ops = {
3177 +const struct dma_map_ops dma_iommu_fixed_ops = {
3178 .alloc_coherent = dma_fixed_alloc_coherent,
3179 .free_coherent = dma_fixed_free_coherent,
3180 .map_sg = dma_fixed_map_sg,
3181 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.43/arch/powerpc/platforms/ps3/system-bus.c
3182 --- linux-2.6.32.43/arch/powerpc/platforms/ps3/system-bus.c 2011-03-27 14:31:47.000000000 -0400
3183 +++ linux-2.6.32.43/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:56:45.000000000 -0400
3184 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3185 return mask >= DMA_BIT_MASK(32);
3188 -static struct dma_map_ops ps3_sb_dma_ops = {
3189 +static const struct dma_map_ops ps3_sb_dma_ops = {
3190 .alloc_coherent = ps3_alloc_coherent,
3191 .free_coherent = ps3_free_coherent,
3192 .map_sg = ps3_sb_map_sg,
3193 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3194 .unmap_page = ps3_unmap_page,
3197 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3198 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3199 .alloc_coherent = ps3_alloc_coherent,
3200 .free_coherent = ps3_free_coherent,
3201 .map_sg = ps3_ioc0_map_sg,
3202 diff -urNp linux-2.6.32.43/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.43/arch/powerpc/platforms/pseries/Kconfig
3203 --- linux-2.6.32.43/arch/powerpc/platforms/pseries/Kconfig 2011-03-27 14:31:47.000000000 -0400
3204 +++ linux-2.6.32.43/arch/powerpc/platforms/pseries/Kconfig 2011-04-17 15:56:45.000000000 -0400
3205 @@ -2,6 +2,8 @@ config PPC_PSERIES
3206 depends on PPC64 && PPC_BOOK3S
3207 bool "IBM pSeries & new (POWER5-based) iSeries"
3213 select RTAS_ERROR_LOGGING
3214 diff -urNp linux-2.6.32.43/arch/s390/include/asm/elf.h linux-2.6.32.43/arch/s390/include/asm/elf.h
3215 --- linux-2.6.32.43/arch/s390/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3216 +++ linux-2.6.32.43/arch/s390/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
3217 @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3218 that it will "exec", and that there is sufficient room for the brk. */
3219 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3221 +#ifdef CONFIG_PAX_ASLR
3222 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3224 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3225 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3228 /* This yields a mask that user programs can use to figure out what
3229 instruction set this CPU supports. */
3231 diff -urNp linux-2.6.32.43/arch/s390/include/asm/setup.h linux-2.6.32.43/arch/s390/include/asm/setup.h
3232 --- linux-2.6.32.43/arch/s390/include/asm/setup.h 2011-03-27 14:31:47.000000000 -0400
3233 +++ linux-2.6.32.43/arch/s390/include/asm/setup.h 2011-04-17 15:56:45.000000000 -0400
3234 @@ -50,13 +50,13 @@ extern unsigned long memory_end;
3235 void detect_memory_layout(struct mem_chunk chunk[]);
3237 #ifdef CONFIG_S390_SWITCH_AMODE
3238 -extern unsigned int switch_amode;
3239 +#define switch_amode (1)
3241 #define switch_amode (0)
3244 #ifdef CONFIG_S390_EXEC_PROTECT
3245 -extern unsigned int s390_noexec;
3246 +#define s390_noexec (1)
3248 #define s390_noexec (0)
3250 diff -urNp linux-2.6.32.43/arch/s390/include/asm/uaccess.h linux-2.6.32.43/arch/s390/include/asm/uaccess.h
3251 --- linux-2.6.32.43/arch/s390/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3252 +++ linux-2.6.32.43/arch/s390/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
3253 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
3254 copy_to_user(void __user *to, const void *from, unsigned long n)
3261 if (access_ok(VERIFY_WRITE, to, n))
3262 n = __copy_to_user(to, from, n);
3264 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3265 static inline unsigned long __must_check
3266 __copy_from_user(void *to, const void __user *from, unsigned long n)
3271 if (__builtin_constant_p(n) && (n <= 256))
3272 return uaccess.copy_from_user_small(n, from, to);
3274 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
3275 copy_from_user(void *to, const void __user *from, unsigned long n)
3282 if (access_ok(VERIFY_READ, from, n))
3283 n = __copy_from_user(to, from, n);
3285 diff -urNp linux-2.6.32.43/arch/s390/Kconfig linux-2.6.32.43/arch/s390/Kconfig
3286 --- linux-2.6.32.43/arch/s390/Kconfig 2011-03-27 14:31:47.000000000 -0400
3287 +++ linux-2.6.32.43/arch/s390/Kconfig 2011-04-17 15:56:45.000000000 -0400
3288 @@ -194,28 +194,26 @@ config AUDIT_ARCH
3290 config S390_SWITCH_AMODE
3291 bool "Switch kernel/user addressing modes"
3294 This option allows to switch the addressing modes of kernel and user
3295 - space. The kernel parameter switch_amode=on will enable this feature,
3296 - default is disabled. Enabling this (via kernel parameter) on machines
3297 - earlier than IBM System z9-109 EC/BC will reduce system performance.
3298 + space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3299 + will reduce system performance.
3301 Note that this option will also be selected by selecting the execute
3302 - protection option below. Enabling the execute protection via the
3303 - noexec kernel parameter will also switch the addressing modes,
3304 - independent of the switch_amode kernel parameter.
3305 + protection option below. Enabling the execute protection will also
3306 + switch the addressing modes, independent of this option.
3309 config S390_EXEC_PROTECT
3310 bool "Data execute protection"
3312 select S390_SWITCH_AMODE
3314 This option allows to enable a buffer overflow protection for user
3315 space programs and it also selects the addressing mode option above.
3316 - The kernel parameter noexec=on will enable this feature and also
3317 - switch the addressing modes, default is disabled. Enabling this (via
3318 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3319 - will reduce system performance.
3320 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3321 + reduce system performance.
3323 comment "Code generation options"
3325 diff -urNp linux-2.6.32.43/arch/s390/kernel/module.c linux-2.6.32.43/arch/s390/kernel/module.c
3326 --- linux-2.6.32.43/arch/s390/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
3327 +++ linux-2.6.32.43/arch/s390/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
3328 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3330 /* Increase core size by size of got & plt and set start
3331 offsets for got and plt. */
3332 - me->core_size = ALIGN(me->core_size, 4);
3333 - me->arch.got_offset = me->core_size;
3334 - me->core_size += me->arch.got_size;
3335 - me->arch.plt_offset = me->core_size;
3336 - me->core_size += me->arch.plt_size;
3337 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3338 + me->arch.got_offset = me->core_size_rw;
3339 + me->core_size_rw += me->arch.got_size;
3340 + me->arch.plt_offset = me->core_size_rx;
3341 + me->core_size_rx += me->arch.plt_size;
3345 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3346 if (info->got_initialized == 0) {
3349 - gotent = me->module_core + me->arch.got_offset +
3350 + gotent = me->module_core_rw + me->arch.got_offset +
3353 info->got_initialized = 1;
3354 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3355 else if (r_type == R_390_GOTENT ||
3356 r_type == R_390_GOTPLTENT)
3357 *(unsigned int *) loc =
3358 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3359 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3360 else if (r_type == R_390_GOT64 ||
3361 r_type == R_390_GOTPLT64)
3362 *(unsigned long *) loc = val;
3363 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3364 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3365 if (info->plt_initialized == 0) {
3367 - ip = me->module_core + me->arch.plt_offset +
3368 + ip = me->module_core_rx + me->arch.plt_offset +
3370 #ifndef CONFIG_64BIT
3371 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3372 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3373 val - loc + 0xffffUL < 0x1ffffeUL) ||
3374 (r_type == R_390_PLT32DBL &&
3375 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3376 - val = (Elf_Addr) me->module_core +
3377 + val = (Elf_Addr) me->module_core_rx +
3378 me->arch.plt_offset +
3380 val += rela->r_addend - loc;
3381 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3382 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3383 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3384 val = val + rela->r_addend -
3385 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3386 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3387 if (r_type == R_390_GOTOFF16)
3388 *(unsigned short *) loc = val;
3389 else if (r_type == R_390_GOTOFF32)
3390 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3392 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3393 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3394 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3395 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3396 rela->r_addend - loc;
3397 if (r_type == R_390_GOTPC)
3398 *(unsigned int *) loc = val;
3399 diff -urNp linux-2.6.32.43/arch/s390/kernel/setup.c linux-2.6.32.43/arch/s390/kernel/setup.c
3400 --- linux-2.6.32.43/arch/s390/kernel/setup.c 2011-03-27 14:31:47.000000000 -0400
3401 +++ linux-2.6.32.43/arch/s390/kernel/setup.c 2011-04-17 15:56:45.000000000 -0400
3402 @@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3403 early_param("mem", early_parse_mem);
3405 #ifdef CONFIG_S390_SWITCH_AMODE
3406 -unsigned int switch_amode = 0;
3407 -EXPORT_SYMBOL_GPL(switch_amode);
3409 static int set_amode_and_uaccess(unsigned long user_amode,
3410 unsigned long user32_amode)
3412 @@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3418 - * Switch kernel/user addressing modes?
3420 -static int __init early_parse_switch_amode(char *p)
3425 -early_param("switch_amode", early_parse_switch_amode);
3427 #else /* CONFIG_S390_SWITCH_AMODE */
3428 static inline int set_amode_and_uaccess(unsigned long user_amode,
3429 unsigned long user32_amode)
3430 @@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3432 #endif /* CONFIG_S390_SWITCH_AMODE */
3434 -#ifdef CONFIG_S390_EXEC_PROTECT
3435 -unsigned int s390_noexec = 0;
3436 -EXPORT_SYMBOL_GPL(s390_noexec);
3439 - * Enable execute protection?
3441 -static int __init early_parse_noexec(char *p)
3443 - if (!strncmp(p, "off", 3))
3449 -early_param("noexec", early_parse_noexec);
3450 -#endif /* CONFIG_S390_EXEC_PROTECT */
3452 static void setup_addressing_mode(void)
3455 diff -urNp linux-2.6.32.43/arch/s390/mm/mmap.c linux-2.6.32.43/arch/s390/mm/mmap.c
3456 --- linux-2.6.32.43/arch/s390/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3457 +++ linux-2.6.32.43/arch/s390/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
3458 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3460 if (mmap_is_legacy()) {
3461 mm->mmap_base = TASK_UNMAPPED_BASE;
3463 +#ifdef CONFIG_PAX_RANDMMAP
3464 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3465 + mm->mmap_base += mm->delta_mmap;
3468 mm->get_unmapped_area = arch_get_unmapped_area;
3469 mm->unmap_area = arch_unmap_area;
3471 mm->mmap_base = mmap_base();
3473 +#ifdef CONFIG_PAX_RANDMMAP
3474 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3475 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3478 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3479 mm->unmap_area = arch_unmap_area_topdown;
3481 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3483 if (mmap_is_legacy()) {
3484 mm->mmap_base = TASK_UNMAPPED_BASE;
3486 +#ifdef CONFIG_PAX_RANDMMAP
3487 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3488 + mm->mmap_base += mm->delta_mmap;
3491 mm->get_unmapped_area = s390_get_unmapped_area;
3492 mm->unmap_area = arch_unmap_area;
3494 mm->mmap_base = mmap_base();
3496 +#ifdef CONFIG_PAX_RANDMMAP
3497 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3498 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3501 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3502 mm->unmap_area = arch_unmap_area_topdown;
3504 diff -urNp linux-2.6.32.43/arch/score/include/asm/system.h linux-2.6.32.43/arch/score/include/asm/system.h
3505 --- linux-2.6.32.43/arch/score/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
3506 +++ linux-2.6.32.43/arch/score/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
3507 @@ -17,7 +17,7 @@ do { \
3508 #define finish_arch_switch(prev) do {} while (0)
3510 typedef void (*vi_handler_t)(void);
3511 -extern unsigned long arch_align_stack(unsigned long sp);
3512 +#define arch_align_stack(x) (x)
3514 #define mb() barrier()
3515 #define rmb() barrier()
3516 diff -urNp linux-2.6.32.43/arch/score/kernel/process.c linux-2.6.32.43/arch/score/kernel/process.c
3517 --- linux-2.6.32.43/arch/score/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
3518 +++ linux-2.6.32.43/arch/score/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
3519 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3521 return task_pt_regs(task)->cp0_epc;
3524 -unsigned long arch_align_stack(unsigned long sp)
3528 diff -urNp linux-2.6.32.43/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.43/arch/sh/boards/mach-hp6xx/pm.c
3529 --- linux-2.6.32.43/arch/sh/boards/mach-hp6xx/pm.c 2011-03-27 14:31:47.000000000 -0400
3530 +++ linux-2.6.32.43/arch/sh/boards/mach-hp6xx/pm.c 2011-04-17 15:56:45.000000000 -0400
3531 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3535 -static struct platform_suspend_ops hp6x0_pm_ops = {
3536 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3537 .enter = hp6x0_pm_enter,
3538 .valid = suspend_valid_only_mem,
3540 diff -urNp linux-2.6.32.43/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.43/arch/sh/kernel/cpu/sh4/sq.c
3541 --- linux-2.6.32.43/arch/sh/kernel/cpu/sh4/sq.c 2011-03-27 14:31:47.000000000 -0400
3542 +++ linux-2.6.32.43/arch/sh/kernel/cpu/sh4/sq.c 2011-04-17 15:56:46.000000000 -0400
3543 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3547 -static struct sysfs_ops sq_sysfs_ops = {
3548 +static const struct sysfs_ops sq_sysfs_ops = {
3549 .show = sq_sysfs_show,
3550 .store = sq_sysfs_store,
3552 diff -urNp linux-2.6.32.43/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.43/arch/sh/kernel/cpu/shmobile/pm.c
3553 --- linux-2.6.32.43/arch/sh/kernel/cpu/shmobile/pm.c 2011-03-27 14:31:47.000000000 -0400
3554 +++ linux-2.6.32.43/arch/sh/kernel/cpu/shmobile/pm.c 2011-04-17 15:56:46.000000000 -0400
3555 @@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3559 -static struct platform_suspend_ops sh_pm_ops = {
3560 +static const struct platform_suspend_ops sh_pm_ops = {
3561 .enter = sh_pm_enter,
3562 .valid = suspend_valid_only_mem,
3564 diff -urNp linux-2.6.32.43/arch/sh/kernel/kgdb.c linux-2.6.32.43/arch/sh/kernel/kgdb.c
3565 --- linux-2.6.32.43/arch/sh/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
3566 +++ linux-2.6.32.43/arch/sh/kernel/kgdb.c 2011-04-17 15:56:46.000000000 -0400
3567 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3571 -struct kgdb_arch arch_kgdb_ops = {
3572 +const struct kgdb_arch arch_kgdb_ops = {
3573 /* Breakpoint instruction: trapa #0x3c */
3574 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3575 .gdb_bpt_instr = { 0x3c, 0xc3 },
3576 diff -urNp linux-2.6.32.43/arch/sh/mm/mmap.c linux-2.6.32.43/arch/sh/mm/mmap.c
3577 --- linux-2.6.32.43/arch/sh/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3578 +++ linux-2.6.32.43/arch/sh/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
3579 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3580 addr = PAGE_ALIGN(addr);
3582 vma = find_vma(mm, addr);
3583 - if (TASK_SIZE - len >= addr &&
3584 - (!vma || addr + len <= vma->vm_start))
3585 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3589 @@ -106,7 +105,7 @@ full_search:
3593 - if (likely(!vma || addr + len <= vma->vm_start)) {
3594 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3596 * Remember the place where we stopped the search:
3598 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3599 addr = PAGE_ALIGN(addr);
3601 vma = find_vma(mm, addr);
3602 - if (TASK_SIZE - len >= addr &&
3603 - (!vma || addr + len <= vma->vm_start))
3604 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3608 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3609 /* make sure it can fit in the remaining address space */
3610 if (likely(addr > len)) {
3611 vma = find_vma(mm, addr-len);
3612 - if (!vma || addr <= vma->vm_start) {
3613 + if (check_heap_stack_gap(vma, addr - len, len)) {
3614 /* remember the address as a hint for next time */
3615 return (mm->free_area_cache = addr-len);
3617 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3618 if (unlikely(mm->mmap_base < len))
3621 - addr = mm->mmap_base-len;
3622 - if (do_colour_align)
3623 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3624 + addr = mm->mmap_base - len;
3627 + if (do_colour_align)
3628 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3630 * Lookup failure means no vma is above this address,
3631 * else if new region fits below vma->vm_start,
3632 * return with success:
3634 vma = find_vma(mm, addr);
3635 - if (likely(!vma || addr+len <= vma->vm_start)) {
3636 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3637 /* remember the address as a hint for next time */
3638 return (mm->free_area_cache = addr);
3640 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3641 mm->cached_hole_size = vma->vm_start - addr;
3643 /* try just below the current vma->vm_start */
3644 - addr = vma->vm_start-len;
3645 - if (do_colour_align)
3646 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3647 - } while (likely(len < vma->vm_start));
3648 + addr = skip_heap_stack_gap(vma, len);
3649 + } while (!IS_ERR_VALUE(addr));
3653 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/atomic_64.h linux-2.6.32.43/arch/sparc/include/asm/atomic_64.h
3654 --- linux-2.6.32.43/arch/sparc/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
3655 +++ linux-2.6.32.43/arch/sparc/include/asm/atomic_64.h 2011-07-13 22:22:56.000000000 -0400
3657 #define ATOMIC64_INIT(i) { (i) }
3659 #define atomic_read(v) ((v)->counter)
3660 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3662 + return v->counter;
3664 #define atomic64_read(v) ((v)->counter)
3665 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3667 + return v->counter;
3670 #define atomic_set(v, i) (((v)->counter) = i)
3671 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3675 #define atomic64_set(v, i) (((v)->counter) = i)
3676 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3681 extern void atomic_add(int, atomic_t *);
3682 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3683 extern void atomic64_add(long, atomic64_t *);
3684 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3685 extern void atomic_sub(int, atomic_t *);
3686 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3687 extern void atomic64_sub(long, atomic64_t *);
3688 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3690 extern int atomic_add_ret(int, atomic_t *);
3691 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3692 extern long atomic64_add_ret(long, atomic64_t *);
3693 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3694 extern int atomic_sub_ret(int, atomic_t *);
3695 extern long atomic64_sub_ret(long, atomic64_t *);
3697 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3698 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3700 #define atomic_inc_return(v) atomic_add_ret(1, v)
3701 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3703 + return atomic_add_ret_unchecked(1, v);
3705 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3706 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3708 + return atomic64_add_ret_unchecked(1, v);
3711 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3712 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3714 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3715 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3717 + return atomic_add_ret_unchecked(i, v);
3719 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3720 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3722 + return atomic64_add_ret_unchecked(i, v);
3726 * atomic_inc_and_test - increment and test
3727 @@ -50,6 +88,7 @@ extern long atomic64_sub_ret(long, atomi
3730 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3731 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
3732 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3734 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3735 @@ -59,30 +98,59 @@ extern long atomic64_sub_ret(long, atomi
3736 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3738 #define atomic_inc(v) atomic_add(1, v)
3739 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3741 + atomic_add_unchecked(1, v);
3743 #define atomic64_inc(v) atomic64_add(1, v)
3744 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3746 + atomic64_add_unchecked(1, v);
3749 #define atomic_dec(v) atomic_sub(1, v)
3750 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3752 + atomic_sub_unchecked(1, v);
3754 #define atomic64_dec(v) atomic64_sub(1, v)
3755 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3757 + atomic64_sub_unchecked(1, v);
3760 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3761 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3763 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3764 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3765 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3766 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
3768 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3774 - if (unlikely(c == (u)))
3775 + if (unlikely(c == u))
3777 - old = atomic_cmpxchg((v), c, c + (a));
3779 + asm volatile("addcc %2, %0, %0\n"
3781 +#ifdef CONFIG_PAX_REFCOUNT
3786 + : "0" (c), "ir" (a)
3789 + old = atomic_cmpxchg(v, c, new);
3790 if (likely(old == c))
3798 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3799 @@ -93,17 +161,28 @@ static inline int atomic_add_unless(atom
3801 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3805 c = atomic64_read(v);
3807 - if (unlikely(c == (u)))
3808 + if (unlikely(c == u))
3810 - old = atomic64_cmpxchg((v), c, c + (a));
3812 + asm volatile("addcc %2, %0, %0\n"
3814 +#ifdef CONFIG_PAX_REFCOUNT
3819 + : "0" (c), "ir" (a)
3822 + old = atomic64_cmpxchg(v, c, new);
3823 if (likely(old == c))
3831 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3832 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/cache.h linux-2.6.32.43/arch/sparc/include/asm/cache.h
3833 --- linux-2.6.32.43/arch/sparc/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
3834 +++ linux-2.6.32.43/arch/sparc/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
3836 #define _SPARC_CACHE_H
3838 #define L1_CACHE_SHIFT 5
3839 -#define L1_CACHE_BYTES 32
3840 +#define L1_CACHE_BYTES 32UL
3841 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3843 #ifdef CONFIG_SPARC32
3844 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.43/arch/sparc/include/asm/dma-mapping.h
3845 --- linux-2.6.32.43/arch/sparc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
3846 +++ linux-2.6.32.43/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
3847 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3848 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3849 #define dma_is_consistent(d, h) (1)
3851 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3852 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3853 extern struct bus_type pci_bus_type;
3855 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3856 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3858 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3859 if (dev->bus == &pci_bus_type)
3860 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3861 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3862 dma_addr_t *dma_handle, gfp_t flag)
3864 - struct dma_map_ops *ops = get_dma_ops(dev);
3865 + const struct dma_map_ops *ops = get_dma_ops(dev);
3868 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3869 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3870 static inline void dma_free_coherent(struct device *dev, size_t size,
3871 void *cpu_addr, dma_addr_t dma_handle)
3873 - struct dma_map_ops *ops = get_dma_ops(dev);
3874 + const struct dma_map_ops *ops = get_dma_ops(dev);
3876 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3877 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3878 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/elf_32.h linux-2.6.32.43/arch/sparc/include/asm/elf_32.h
3879 --- linux-2.6.32.43/arch/sparc/include/asm/elf_32.h 2011-03-27 14:31:47.000000000 -0400
3880 +++ linux-2.6.32.43/arch/sparc/include/asm/elf_32.h 2011-04-17 15:56:46.000000000 -0400
3881 @@ -116,6 +116,13 @@ typedef struct {
3883 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3885 +#ifdef CONFIG_PAX_ASLR
3886 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3888 +#define PAX_DELTA_MMAP_LEN 16
3889 +#define PAX_DELTA_STACK_LEN 16
3892 /* This yields a mask that user programs can use to figure out what
3893 instruction set this cpu supports. This can NOT be done in userspace
3895 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/elf_64.h linux-2.6.32.43/arch/sparc/include/asm/elf_64.h
3896 --- linux-2.6.32.43/arch/sparc/include/asm/elf_64.h 2011-03-27 14:31:47.000000000 -0400
3897 +++ linux-2.6.32.43/arch/sparc/include/asm/elf_64.h 2011-04-17 15:56:46.000000000 -0400
3898 @@ -163,6 +163,12 @@ typedef struct {
3899 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3900 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3902 +#ifdef CONFIG_PAX_ASLR
3903 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3905 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3906 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3909 /* This yields a mask that user programs can use to figure out what
3910 instruction set this cpu supports. */
3911 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.43/arch/sparc/include/asm/pgtable_32.h
3912 --- linux-2.6.32.43/arch/sparc/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
3913 +++ linux-2.6.32.43/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
3914 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3915 BTFIXUPDEF_INT(page_none)
3916 BTFIXUPDEF_INT(page_copy)
3917 BTFIXUPDEF_INT(page_readonly)
3919 +#ifdef CONFIG_PAX_PAGEEXEC
3920 +BTFIXUPDEF_INT(page_shared_noexec)
3921 +BTFIXUPDEF_INT(page_copy_noexec)
3922 +BTFIXUPDEF_INT(page_readonly_noexec)
3925 BTFIXUPDEF_INT(page_kernel)
3927 #define PMD_SHIFT SUN4C_PMD_SHIFT
3928 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3929 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3930 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3932 +#ifdef CONFIG_PAX_PAGEEXEC
3933 +extern pgprot_t PAGE_SHARED_NOEXEC;
3934 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3935 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3937 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3938 +# define PAGE_COPY_NOEXEC PAGE_COPY
3939 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3942 extern unsigned long page_kernel;
3945 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.43/arch/sparc/include/asm/pgtsrmmu.h
3946 --- linux-2.6.32.43/arch/sparc/include/asm/pgtsrmmu.h 2011-03-27 14:31:47.000000000 -0400
3947 +++ linux-2.6.32.43/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:56:46.000000000 -0400
3948 @@ -115,6 +115,13 @@
3949 SRMMU_EXEC | SRMMU_REF)
3950 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3951 SRMMU_EXEC | SRMMU_REF)
3953 +#ifdef CONFIG_PAX_PAGEEXEC
3954 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3955 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3956 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3959 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3960 SRMMU_DIRTY | SRMMU_REF)
3962 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.43/arch/sparc/include/asm/spinlock_64.h
3963 --- linux-2.6.32.43/arch/sparc/include/asm/spinlock_64.h 2011-03-27 14:31:47.000000000 -0400
3964 +++ linux-2.6.32.43/arch/sparc/include/asm/spinlock_64.h 2011-05-04 17:56:20.000000000 -0400
3965 @@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
3967 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3969 -static void inline arch_read_lock(raw_rwlock_t *lock)
3970 +static inline void arch_read_lock(raw_rwlock_t *lock)
3972 unsigned long tmp1, tmp2;
3974 __asm__ __volatile__ (
3975 "1: ldsw [%2], %0\n"
3977 -"4: add %0, 1, %1\n"
3978 +"4: addcc %0, 1, %1\n"
3980 +#ifdef CONFIG_PAX_REFCOUNT
3984 " cas [%2], %0, %1\n"
3986 " bne,pn %%icc, 1b\n"
3987 @@ -112,7 +117,7 @@ static void inline arch_read_lock(raw_rw
3989 : "=&r" (tmp1), "=&r" (tmp2)
3992 + : "memory", "cc");
3995 static int inline arch_read_trylock(raw_rwlock_t *lock)
3996 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
3997 "1: ldsw [%2], %0\n"
3998 " brlz,a,pn %0, 2f\n"
4001 +" addcc %0, 1, %1\n"
4003 +#ifdef CONFIG_PAX_REFCOUNT
4007 " cas [%2], %0, %1\n"
4009 " bne,pn %%icc, 1b\n"
4010 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4014 -static void inline arch_read_unlock(raw_rwlock_t *lock)
4015 +static inline void arch_read_unlock(raw_rwlock_t *lock)
4017 unsigned long tmp1, tmp2;
4019 __asm__ __volatile__(
4020 "1: lduw [%2], %0\n"
4022 +" subcc %0, 1, %1\n"
4024 +#ifdef CONFIG_PAX_REFCOUNT
4028 " cas [%2], %0, %1\n"
4030 " bne,pn %%xcc, 1b\n"
4031 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4035 -static void inline arch_write_lock(raw_rwlock_t *lock)
4036 +static inline void arch_write_lock(raw_rwlock_t *lock)
4038 unsigned long mask, tmp1, tmp2;
4040 @@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4044 -static void inline arch_write_unlock(raw_rwlock_t *lock)
4045 +static inline void arch_write_unlock(raw_rwlock_t *lock)
4047 __asm__ __volatile__(
4049 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.43/arch/sparc/include/asm/thread_info_32.h
4050 --- linux-2.6.32.43/arch/sparc/include/asm/thread_info_32.h 2011-03-27 14:31:47.000000000 -0400
4051 +++ linux-2.6.32.43/arch/sparc/include/asm/thread_info_32.h 2011-06-04 20:46:01.000000000 -0400
4052 @@ -50,6 +50,8 @@ struct thread_info {
4053 unsigned long w_saved;
4055 struct restart_block restart_block;
4057 + unsigned long lowest_stack;
4061 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.43/arch/sparc/include/asm/thread_info_64.h
4062 --- linux-2.6.32.43/arch/sparc/include/asm/thread_info_64.h 2011-03-27 14:31:47.000000000 -0400
4063 +++ linux-2.6.32.43/arch/sparc/include/asm/thread_info_64.h 2011-06-04 20:46:21.000000000 -0400
4064 @@ -68,6 +68,8 @@ struct thread_info {
4065 struct pt_regs *kern_una_regs;
4066 unsigned int kern_una_insn;
4068 + unsigned long lowest_stack;
4070 unsigned long fpregs[0] __attribute__ ((aligned(64)));
4073 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.43/arch/sparc/include/asm/uaccess_32.h
4074 --- linux-2.6.32.43/arch/sparc/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
4075 +++ linux-2.6.32.43/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:56:46.000000000 -0400
4076 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4078 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4080 - if (n && __access_ok((unsigned long) to, n))
4084 + if (n && __access_ok((unsigned long) to, n)) {
4085 + if (!__builtin_constant_p(n))
4086 + check_object_size(from, n, true);
4087 return __copy_user(to, (__force void __user *) from, n);
4093 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4098 + if (!__builtin_constant_p(n))
4099 + check_object_size(from, n, true);
4101 return __copy_user(to, (__force void __user *) from, n);
4104 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4106 - if (n && __access_ok((unsigned long) from, n))
4110 + if (n && __access_ok((unsigned long) from, n)) {
4111 + if (!__builtin_constant_p(n))
4112 + check_object_size(to, n, false);
4113 return __copy_user((__force void __user *) to, from, n);
4119 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4124 return __copy_user((__force void __user *) to, from, n);
4127 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.43/arch/sparc/include/asm/uaccess_64.h
4128 --- linux-2.6.32.43/arch/sparc/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
4129 +++ linux-2.6.32.43/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:56:46.000000000 -0400
4131 #include <linux/compiler.h>
4132 #include <linux/string.h>
4133 #include <linux/thread_info.h>
4134 +#include <linux/kernel.h>
4135 #include <asm/asi.h>
4136 #include <asm/system.h>
4137 #include <asm/spitfire.h>
4138 @@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4139 static inline unsigned long __must_check
4140 copy_from_user(void *to, const void __user *from, unsigned long size)
4142 - unsigned long ret = ___copy_from_user(to, from, size);
4143 + unsigned long ret;
4145 + if ((long)size < 0 || size > INT_MAX)
4148 + if (!__builtin_constant_p(size))
4149 + check_object_size(to, size, false);
4151 + ret = ___copy_from_user(to, from, size);
4153 ret = copy_from_user_fixup(to, from, size);
4155 @@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4156 static inline unsigned long __must_check
4157 copy_to_user(void __user *to, const void *from, unsigned long size)
4159 - unsigned long ret = ___copy_to_user(to, from, size);
4160 + unsigned long ret;
4162 + if ((long)size < 0 || size > INT_MAX)
4165 + if (!__builtin_constant_p(size))
4166 + check_object_size(from, size, true);
4168 + ret = ___copy_to_user(to, from, size);
4170 ret = copy_to_user_fixup(to, from, size);
4172 diff -urNp linux-2.6.32.43/arch/sparc/include/asm/uaccess.h linux-2.6.32.43/arch/sparc/include/asm/uaccess.h
4173 --- linux-2.6.32.43/arch/sparc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
4174 +++ linux-2.6.32.43/arch/sparc/include/asm/uaccess.h 2011-04-17 15:56:46.000000000 -0400
4176 #ifndef ___ASM_SPARC_UACCESS_H
4177 #define ___ASM_SPARC_UACCESS_H
4180 +#ifndef __ASSEMBLY__
4181 +#include <linux/types.h>
4182 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4186 #if defined(__sparc__) && defined(__arch64__)
4187 #include <asm/uaccess_64.h>
4189 diff -urNp linux-2.6.32.43/arch/sparc/kernel/iommu.c linux-2.6.32.43/arch/sparc/kernel/iommu.c
4190 --- linux-2.6.32.43/arch/sparc/kernel/iommu.c 2011-03-27 14:31:47.000000000 -0400
4191 +++ linux-2.6.32.43/arch/sparc/kernel/iommu.c 2011-04-17 15:56:46.000000000 -0400
4192 @@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4193 spin_unlock_irqrestore(&iommu->lock, flags);
4196 -static struct dma_map_ops sun4u_dma_ops = {
4197 +static const struct dma_map_ops sun4u_dma_ops = {
4198 .alloc_coherent = dma_4u_alloc_coherent,
4199 .free_coherent = dma_4u_free_coherent,
4200 .map_page = dma_4u_map_page,
4201 @@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4202 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4205 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4206 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4207 EXPORT_SYMBOL(dma_ops);
4209 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4210 diff -urNp linux-2.6.32.43/arch/sparc/kernel/ioport.c linux-2.6.32.43/arch/sparc/kernel/ioport.c
4211 --- linux-2.6.32.43/arch/sparc/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
4212 +++ linux-2.6.32.43/arch/sparc/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
4213 @@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4217 -struct dma_map_ops sbus_dma_ops = {
4218 +const struct dma_map_ops sbus_dma_ops = {
4219 .alloc_coherent = sbus_alloc_coherent,
4220 .free_coherent = sbus_free_coherent,
4221 .map_page = sbus_map_page,
4222 @@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4223 .sync_sg_for_device = sbus_sync_sg_for_device,
4226 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4227 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4228 EXPORT_SYMBOL(dma_ops);
4230 static int __init sparc_register_ioport(void)
4231 @@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4235 -struct dma_map_ops pci32_dma_ops = {
4236 +const struct dma_map_ops pci32_dma_ops = {
4237 .alloc_coherent = pci32_alloc_coherent,
4238 .free_coherent = pci32_free_coherent,
4239 .map_page = pci32_map_page,
4240 diff -urNp linux-2.6.32.43/arch/sparc/kernel/kgdb_32.c linux-2.6.32.43/arch/sparc/kernel/kgdb_32.c
4241 --- linux-2.6.32.43/arch/sparc/kernel/kgdb_32.c 2011-03-27 14:31:47.000000000 -0400
4242 +++ linux-2.6.32.43/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:56:46.000000000 -0400
4243 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4247 -struct kgdb_arch arch_kgdb_ops = {
4248 +const struct kgdb_arch arch_kgdb_ops = {
4249 /* Breakpoint instruction: ta 0x7d */
4250 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4252 diff -urNp linux-2.6.32.43/arch/sparc/kernel/kgdb_64.c linux-2.6.32.43/arch/sparc/kernel/kgdb_64.c
4253 --- linux-2.6.32.43/arch/sparc/kernel/kgdb_64.c 2011-03-27 14:31:47.000000000 -0400
4254 +++ linux-2.6.32.43/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:56:46.000000000 -0400
4255 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4259 -struct kgdb_arch arch_kgdb_ops = {
4260 +const struct kgdb_arch arch_kgdb_ops = {
4261 /* Breakpoint instruction: ta 0x72 */
4262 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4264 diff -urNp linux-2.6.32.43/arch/sparc/kernel/Makefile linux-2.6.32.43/arch/sparc/kernel/Makefile
4265 --- linux-2.6.32.43/arch/sparc/kernel/Makefile 2011-03-27 14:31:47.000000000 -0400
4266 +++ linux-2.6.32.43/arch/sparc/kernel/Makefile 2011-04-17 15:56:46.000000000 -0400
4271 -ccflags-y := -Werror
4272 +#ccflags-y := -Werror
4274 extra-y := head_$(BITS).o
4275 extra-y += init_task.o
4276 diff -urNp linux-2.6.32.43/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.43/arch/sparc/kernel/pci_sun4v.c
4277 --- linux-2.6.32.43/arch/sparc/kernel/pci_sun4v.c 2011-03-27 14:31:47.000000000 -0400
4278 +++ linux-2.6.32.43/arch/sparc/kernel/pci_sun4v.c 2011-04-17 15:56:46.000000000 -0400
4279 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4280 spin_unlock_irqrestore(&iommu->lock, flags);
4283 -static struct dma_map_ops sun4v_dma_ops = {
4284 +static const struct dma_map_ops sun4v_dma_ops = {
4285 .alloc_coherent = dma_4v_alloc_coherent,
4286 .free_coherent = dma_4v_free_coherent,
4287 .map_page = dma_4v_map_page,
4288 diff -urNp linux-2.6.32.43/arch/sparc/kernel/process_32.c linux-2.6.32.43/arch/sparc/kernel/process_32.c
4289 --- linux-2.6.32.43/arch/sparc/kernel/process_32.c 2011-03-27 14:31:47.000000000 -0400
4290 +++ linux-2.6.32.43/arch/sparc/kernel/process_32.c 2011-04-17 15:56:46.000000000 -0400
4291 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4292 rw->ins[4], rw->ins[5],
4295 - printk("%pS\n", (void *) rw->ins[7]);
4296 + printk("%pA\n", (void *) rw->ins[7]);
4297 rw = (struct reg_window32 *) rw->ins[6];
4299 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4300 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4302 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4303 r->psr, r->pc, r->npc, r->y, print_tainted());
4304 - printk("PC: <%pS>\n", (void *) r->pc);
4305 + printk("PC: <%pA>\n", (void *) r->pc);
4306 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4307 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4308 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4309 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4310 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4311 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4312 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4313 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4315 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4316 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4317 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4318 rw = (struct reg_window32 *) fp;
4320 printk("[%08lx : ", pc);
4321 - printk("%pS ] ", (void *) pc);
4322 + printk("%pA ] ", (void *) pc);
4324 } while (++count < 16);
4326 diff -urNp linux-2.6.32.43/arch/sparc/kernel/process_64.c linux-2.6.32.43/arch/sparc/kernel/process_64.c
4327 --- linux-2.6.32.43/arch/sparc/kernel/process_64.c 2011-03-27 14:31:47.000000000 -0400
4328 +++ linux-2.6.32.43/arch/sparc/kernel/process_64.c 2011-04-17 15:56:46.000000000 -0400
4329 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4330 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4331 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4332 if (regs->tstate & TSTATE_PRIV)
4333 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4334 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4337 void show_regs(struct pt_regs *regs)
4339 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4340 regs->tpc, regs->tnpc, regs->y, print_tainted());
4341 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4342 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4343 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4344 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4346 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4347 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4348 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4350 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4351 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4352 show_regwindow(regs);
4355 @@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4356 ((tp && tp->task) ? tp->task->pid : -1));
4358 if (gp->tstate & TSTATE_PRIV) {
4359 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4360 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4364 diff -urNp linux-2.6.32.43/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.43/arch/sparc/kernel/sys_sparc_32.c
4365 --- linux-2.6.32.43/arch/sparc/kernel/sys_sparc_32.c 2011-03-27 14:31:47.000000000 -0400
4366 +++ linux-2.6.32.43/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:56:46.000000000 -0400
4367 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4368 if (ARCH_SUN4C && len > 0x20000000)
4371 - addr = TASK_UNMAPPED_BASE;
4372 + addr = current->mm->mmap_base;
4374 if (flags & MAP_SHARED)
4375 addr = COLOUR_ALIGN(addr);
4376 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4378 if (TASK_SIZE - PAGE_SIZE - len < addr)
4380 - if (!vmm || addr + len <= vmm->vm_start)
4381 + if (check_heap_stack_gap(vmm, addr, len))
4384 if (flags & MAP_SHARED)
4385 diff -urNp linux-2.6.32.43/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.43/arch/sparc/kernel/sys_sparc_64.c
4386 --- linux-2.6.32.43/arch/sparc/kernel/sys_sparc_64.c 2011-03-27 14:31:47.000000000 -0400
4387 +++ linux-2.6.32.43/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:56:46.000000000 -0400
4388 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4389 /* We do not accept a shared mapping if it would violate
4390 * cache aliasing constraints.
4392 - if ((flags & MAP_SHARED) &&
4393 + if ((filp || (flags & MAP_SHARED)) &&
4394 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4397 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4398 if (filp || (flags & MAP_SHARED))
4401 +#ifdef CONFIG_PAX_RANDMMAP
4402 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4407 addr = COLOUR_ALIGN(addr, pgoff);
4408 @@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4409 addr = PAGE_ALIGN(addr);
4411 vma = find_vma(mm, addr);
4412 - if (task_size - len >= addr &&
4413 - (!vma || addr + len <= vma->vm_start))
4414 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4418 if (len > mm->cached_hole_size) {
4419 - start_addr = addr = mm->free_area_cache;
4420 + start_addr = addr = mm->free_area_cache;
4422 - start_addr = addr = TASK_UNMAPPED_BASE;
4423 + start_addr = addr = mm->mmap_base;
4424 mm->cached_hole_size = 0;
4427 @@ -175,14 +178,14 @@ full_search:
4428 vma = find_vma(mm, VA_EXCLUDE_END);
4430 if (unlikely(task_size < addr)) {
4431 - if (start_addr != TASK_UNMAPPED_BASE) {
4432 - start_addr = addr = TASK_UNMAPPED_BASE;
4433 + if (start_addr != mm->mmap_base) {
4434 + start_addr = addr = mm->mmap_base;
4435 mm->cached_hole_size = 0;
4440 - if (likely(!vma || addr + len <= vma->vm_start)) {
4441 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4443 * Remember the place where we stopped the search:
4445 @@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4446 /* We do not accept a shared mapping if it would violate
4447 * cache aliasing constraints.
4449 - if ((flags & MAP_SHARED) &&
4450 + if ((filp || (flags & MAP_SHARED)) &&
4451 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4454 @@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4455 addr = PAGE_ALIGN(addr);
4457 vma = find_vma(mm, addr);
4458 - if (task_size - len >= addr &&
4459 - (!vma || addr + len <= vma->vm_start))
4460 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4464 @@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4465 /* make sure it can fit in the remaining address space */
4466 if (likely(addr > len)) {
4467 vma = find_vma(mm, addr-len);
4468 - if (!vma || addr <= vma->vm_start) {
4469 + if (check_heap_stack_gap(vma, addr - len, len)) {
4470 /* remember the address as a hint for next time */
4471 return (mm->free_area_cache = addr-len);
4473 @@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4474 if (unlikely(mm->mmap_base < len))
4477 - addr = mm->mmap_base-len;
4478 - if (do_color_align)
4479 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4480 + addr = mm->mmap_base - len;
4483 + if (do_color_align)
4484 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4486 * Lookup failure means no vma is above this address,
4487 * else if new region fits below vma->vm_start,
4488 * return with success:
4490 vma = find_vma(mm, addr);
4491 - if (likely(!vma || addr+len <= vma->vm_start)) {
4492 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4493 /* remember the address as a hint for next time */
4494 return (mm->free_area_cache = addr);
4496 @@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4497 mm->cached_hole_size = vma->vm_start - addr;
4499 /* try just below the current vma->vm_start */
4500 - addr = vma->vm_start-len;
4501 - if (do_color_align)
4502 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4503 - } while (likely(len < vma->vm_start));
4504 + addr = skip_heap_stack_gap(vma, len);
4505 + } while (!IS_ERR_VALUE(addr));
4509 @@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4510 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4511 sysctl_legacy_va_layout) {
4512 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4514 +#ifdef CONFIG_PAX_RANDMMAP
4515 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4516 + mm->mmap_base += mm->delta_mmap;
4519 mm->get_unmapped_area = arch_get_unmapped_area;
4520 mm->unmap_area = arch_unmap_area;
4522 @@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4523 gap = (task_size / 6 * 5);
4525 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4527 +#ifdef CONFIG_PAX_RANDMMAP
4528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4529 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4532 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4533 mm->unmap_area = arch_unmap_area_topdown;
4535 diff -urNp linux-2.6.32.43/arch/sparc/kernel/traps_32.c linux-2.6.32.43/arch/sparc/kernel/traps_32.c
4536 --- linux-2.6.32.43/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400
4537 +++ linux-2.6.32.43/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400
4538 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4539 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4540 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4542 +extern void gr_handle_kernel_exploit(void);
4544 void die_if_kernel(char *str, struct pt_regs *regs)
4546 static int die_counter;
4547 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4549 (((unsigned long) rw) >= PAGE_OFFSET) &&
4550 !(((unsigned long) rw) & 0x7)) {
4551 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4552 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4553 (void *) rw->ins[7]);
4554 rw = (struct reg_window32 *)rw->ins[6];
4557 printk("Instruction DUMP:");
4558 instruction_dump ((unsigned long *) regs->pc);
4559 - if(regs->psr & PSR_PS)
4560 + if(regs->psr & PSR_PS) {
4561 + gr_handle_kernel_exploit();
4567 diff -urNp linux-2.6.32.43/arch/sparc/kernel/traps_64.c linux-2.6.32.43/arch/sparc/kernel/traps_64.c
4568 --- linux-2.6.32.43/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400
4569 +++ linux-2.6.32.43/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400
4570 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4572 p->trapstack[i].tstate, p->trapstack[i].tpc,
4573 p->trapstack[i].tnpc, p->trapstack[i].tt);
4574 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4575 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4579 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4582 if (regs->tstate & TSTATE_PRIV) {
4584 +#ifdef CONFIG_PAX_REFCOUNT
4586 + pax_report_refcount_overflow(regs);
4589 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4590 die_if_kernel(buffer, regs);
4592 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4593 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4598 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4599 0, lvl, SIGTRAP) == NOTIFY_STOP)
4602 +#ifdef CONFIG_PAX_REFCOUNT
4604 + pax_report_refcount_overflow(regs);
4607 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4609 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4610 @@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4611 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4612 printk("%s" "ERROR(%d): ",
4613 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4614 - printk("TPC<%pS>\n", (void *) regs->tpc);
4615 + printk("TPC<%pA>\n", (void *) regs->tpc);
4616 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4617 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4618 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4619 @@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4621 (type & 0x1) ? 'I' : 'D',
4623 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4624 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4625 panic("Irrecoverable Cheetah+ parity error.");
4628 @@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4630 (type & 0x1) ? 'I' : 'D',
4632 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4633 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4636 struct sun4v_error_entry {
4637 @@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4639 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4641 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4642 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4643 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4644 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4645 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4646 (void *) regs->u_regs[UREG_I7]);
4647 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4648 "pte[%lx] error[%lx]\n",
4649 @@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4651 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4653 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4654 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4655 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4656 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4657 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4658 (void *) regs->u_regs[UREG_I7]);
4659 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4660 "pte[%lx] error[%lx]\n",
4661 @@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4662 fp = (unsigned long)sf->fp + STACK_BIAS;
4665 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4666 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4667 } while (++count < 16);
4670 @@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4671 return (struct reg_window *) (fp + STACK_BIAS);
4674 +extern void gr_handle_kernel_exploit(void);
4676 void die_if_kernel(char *str, struct pt_regs *regs)
4678 static int die_counter;
4679 @@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4682 is_kernel_stack(current, rw)) {
4683 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4684 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4685 (void *) rw->ins[7]);
4687 rw = kernel_stack_up(rw);
4688 @@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4690 user_instruction_dump ((unsigned int __user *) regs->tpc);
4692 - if (regs->tstate & TSTATE_PRIV)
4693 + if (regs->tstate & TSTATE_PRIV) {
4694 + gr_handle_kernel_exploit();
4700 EXPORT_SYMBOL(die_if_kernel);
4701 diff -urNp linux-2.6.32.43/arch/sparc/kernel/una_asm_64.S linux-2.6.32.43/arch/sparc/kernel/una_asm_64.S
4702 --- linux-2.6.32.43/arch/sparc/kernel/una_asm_64.S 2011-03-27 14:31:47.000000000 -0400
4703 +++ linux-2.6.32.43/arch/sparc/kernel/una_asm_64.S 2011-07-13 22:20:05.000000000 -0400
4704 @@ -127,7 +127,7 @@ do_int_load:
4708 - .size __do_int_load, .-__do_int_load
4709 + .size do_int_load, .-do_int_load
4711 .section __ex_table,"a"
4712 .word 4b, __retl_efault
4713 diff -urNp linux-2.6.32.43/arch/sparc/kernel/unaligned_64.c linux-2.6.32.43/arch/sparc/kernel/unaligned_64.c
4714 --- linux-2.6.32.43/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400
4715 +++ linux-2.6.32.43/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400
4716 @@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4718 last_time = jiffies;
4720 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4721 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4722 regs->tpc, (void *) regs->tpc);
4725 diff -urNp linux-2.6.32.43/arch/sparc/lib/atomic_64.S linux-2.6.32.43/arch/sparc/lib/atomic_64.S
4726 --- linux-2.6.32.43/arch/sparc/lib/atomic_64.S 2011-03-27 14:31:47.000000000 -0400
4727 +++ linux-2.6.32.43/arch/sparc/lib/atomic_64.S 2011-04-17 15:56:46.000000000 -0400
4729 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4733 + addcc %g1, %o0, %g7
4735 +#ifdef CONFIG_PAX_REFCOUNT
4742 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4743 2: BACKOFF_SPIN(%o2, %o3, 1b)
4744 .size atomic_add, .-atomic_add
4746 + .globl atomic_add_unchecked
4747 + .type atomic_add_unchecked,#function
4748 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4749 + BACKOFF_SETUP(%o2)
4752 + cas [%o1], %g1, %g7
4758 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4759 + .size atomic_add_unchecked, .-atomic_add_unchecked
4762 .type atomic_sub,#function
4763 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4767 + subcc %g1, %o0, %g7
4769 +#ifdef CONFIG_PAX_REFCOUNT
4776 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4777 2: BACKOFF_SPIN(%o2, %o3, 1b)
4778 .size atomic_sub, .-atomic_sub
4780 + .globl atomic_sub_unchecked
4781 + .type atomic_sub_unchecked,#function
4782 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4783 + BACKOFF_SETUP(%o2)
4786 + cas [%o1], %g1, %g7
4792 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4793 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4795 .globl atomic_add_ret
4796 .type atomic_add_ret,#function
4797 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4801 + addcc %g1, %o0, %g7
4803 +#ifdef CONFIG_PAX_REFCOUNT
4810 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4811 2: BACKOFF_SPIN(%o2, %o3, 1b)
4812 .size atomic_add_ret, .-atomic_add_ret
4814 + .globl atomic_add_ret_unchecked
4815 + .type atomic_add_ret_unchecked,#function
4816 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4817 + BACKOFF_SETUP(%o2)
4819 + addcc %g1, %o0, %g7
4820 + cas [%o1], %g1, %g7
4827 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4828 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4830 .globl atomic_sub_ret
4831 .type atomic_sub_ret,#function
4832 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4836 + subcc %g1, %o0, %g7
4838 +#ifdef CONFIG_PAX_REFCOUNT
4845 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4846 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4850 + addcc %g1, %o0, %g7
4852 +#ifdef CONFIG_PAX_REFCOUNT
4856 casx [%o1], %g1, %g7
4859 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4860 2: BACKOFF_SPIN(%o2, %o3, 1b)
4861 .size atomic64_add, .-atomic64_add
4863 + .globl atomic64_add_unchecked
4864 + .type atomic64_add_unchecked,#function
4865 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4866 + BACKOFF_SETUP(%o2)
4868 + addcc %g1, %o0, %g7
4869 + casx [%o1], %g1, %g7
4875 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4876 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4879 .type atomic64_sub,#function
4880 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4884 + subcc %g1, %o0, %g7
4886 +#ifdef CONFIG_PAX_REFCOUNT
4890 casx [%o1], %g1, %g7
4893 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4894 2: BACKOFF_SPIN(%o2, %o3, 1b)
4895 .size atomic64_sub, .-atomic64_sub
4897 + .globl atomic64_sub_unchecked
4898 + .type atomic64_sub_unchecked,#function
4899 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4900 + BACKOFF_SETUP(%o2)
4902 + subcc %g1, %o0, %g7
4903 + casx [%o1], %g1, %g7
4909 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4910 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4912 .globl atomic64_add_ret
4913 .type atomic64_add_ret,#function
4914 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4918 + addcc %g1, %o0, %g7
4920 +#ifdef CONFIG_PAX_REFCOUNT
4924 casx [%o1], %g1, %g7
4927 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4928 2: BACKOFF_SPIN(%o2, %o3, 1b)
4929 .size atomic64_add_ret, .-atomic64_add_ret
4931 + .globl atomic64_add_ret_unchecked
4932 + .type atomic64_add_ret_unchecked,#function
4933 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4934 + BACKOFF_SETUP(%o2)
4936 + addcc %g1, %o0, %g7
4937 + casx [%o1], %g1, %g7
4944 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4945 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4947 .globl atomic64_sub_ret
4948 .type atomic64_sub_ret,#function
4949 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4953 + subcc %g1, %o0, %g7
4955 +#ifdef CONFIG_PAX_REFCOUNT
4959 casx [%o1], %g1, %g7
4962 diff -urNp linux-2.6.32.43/arch/sparc/lib/ksyms.c linux-2.6.32.43/arch/sparc/lib/ksyms.c
4963 --- linux-2.6.32.43/arch/sparc/lib/ksyms.c 2011-03-27 14:31:47.000000000 -0400
4964 +++ linux-2.6.32.43/arch/sparc/lib/ksyms.c 2011-04-17 15:56:46.000000000 -0400
4965 @@ -144,12 +144,17 @@ EXPORT_SYMBOL(__downgrade_write);
4967 /* Atomic counter implementation. */
4968 EXPORT_SYMBOL(atomic_add);
4969 +EXPORT_SYMBOL(atomic_add_unchecked);
4970 EXPORT_SYMBOL(atomic_add_ret);
4971 EXPORT_SYMBOL(atomic_sub);
4972 +EXPORT_SYMBOL(atomic_sub_unchecked);
4973 EXPORT_SYMBOL(atomic_sub_ret);
4974 EXPORT_SYMBOL(atomic64_add);
4975 +EXPORT_SYMBOL(atomic64_add_unchecked);
4976 EXPORT_SYMBOL(atomic64_add_ret);
4977 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4978 EXPORT_SYMBOL(atomic64_sub);
4979 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4980 EXPORT_SYMBOL(atomic64_sub_ret);
4982 /* Atomic bit operations. */
4983 diff -urNp linux-2.6.32.43/arch/sparc/lib/Makefile linux-2.6.32.43/arch/sparc/lib/Makefile
4984 --- linux-2.6.32.43/arch/sparc/lib/Makefile 2011-03-27 14:31:47.000000000 -0400
4985 +++ linux-2.6.32.43/arch/sparc/lib/Makefile 2011-05-17 19:26:34.000000000 -0400
4989 asflags-y := -ansi -DST_DIV0=0x02
4990 -ccflags-y := -Werror
4991 +#ccflags-y := -Werror
4993 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4994 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4995 diff -urNp linux-2.6.32.43/arch/sparc/lib/rwsem_64.S linux-2.6.32.43/arch/sparc/lib/rwsem_64.S
4996 --- linux-2.6.32.43/arch/sparc/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
4997 +++ linux-2.6.32.43/arch/sparc/lib/rwsem_64.S 2011-04-17 15:56:46.000000000 -0400
5005 +#ifdef CONFIG_PAX_REFCOUNT
5012 @@ -33,7 +38,12 @@ __down_read:
5013 .globl __down_read_trylock
5014 __down_read_trylock:
5019 +#ifdef CONFIG_PAX_REFCOUNT
5026 @@ -51,7 +61,12 @@ __down_write:
5027 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5031 + addcc %g3, %g1, %g7
5033 +#ifdef CONFIG_PAX_REFCOUNT
5040 @@ -77,7 +92,12 @@ __down_write_trylock:
5045 + addcc %g3, %g1, %g7
5047 +#ifdef CONFIG_PAX_REFCOUNT
5054 @@ -90,7 +110,12 @@ __down_write_trylock:
5061 +#ifdef CONFIG_PAX_REFCOUNT
5068 @@ -118,7 +143,12 @@ __up_write:
5069 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5073 + subcc %g3, %g1, %g7
5075 +#ifdef CONFIG_PAX_REFCOUNT
5082 @@ -143,7 +173,12 @@ __downgrade_write:
5083 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5087 + subcc %g3, %g1, %g7
5089 +#ifdef CONFIG_PAX_REFCOUNT
5096 diff -urNp linux-2.6.32.43/arch/sparc/Makefile linux-2.6.32.43/arch/sparc/Makefile
5097 --- linux-2.6.32.43/arch/sparc/Makefile 2011-03-27 14:31:47.000000000 -0400
5098 +++ linux-2.6.32.43/arch/sparc/Makefile 2011-04-17 15:56:46.000000000 -0400
5099 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5100 # Export what is needed by arch/sparc/boot/Makefile
5101 export VMLINUX_INIT VMLINUX_MAIN
5102 VMLINUX_INIT := $(head-y) $(init-y)
5103 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
5104 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
5105 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
5106 VMLINUX_MAIN += $(drivers-y) $(net-y)
5108 diff -urNp linux-2.6.32.43/arch/sparc/mm/fault_32.c linux-2.6.32.43/arch/sparc/mm/fault_32.c
5109 --- linux-2.6.32.43/arch/sparc/mm/fault_32.c 2011-03-27 14:31:47.000000000 -0400
5110 +++ linux-2.6.32.43/arch/sparc/mm/fault_32.c 2011-04-17 15:56:46.000000000 -0400
5112 #include <linux/interrupt.h>
5113 #include <linux/module.h>
5114 #include <linux/kdebug.h>
5115 +#include <linux/slab.h>
5116 +#include <linux/pagemap.h>
5117 +#include <linux/compiler.h>
5119 #include <asm/system.h>
5120 #include <asm/page.h>
5121 @@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5122 return safe_compute_effective_address(regs, insn);
5125 +#ifdef CONFIG_PAX_PAGEEXEC
5126 +#ifdef CONFIG_PAX_DLRESOLVE
5127 +static void pax_emuplt_close(struct vm_area_struct *vma)
5129 + vma->vm_mm->call_dl_resolve = 0UL;
5132 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5134 + unsigned int *kaddr;
5136 + vmf->page = alloc_page(GFP_HIGHUSER);
5138 + return VM_FAULT_OOM;
5140 + kaddr = kmap(vmf->page);
5141 + memset(kaddr, 0, PAGE_SIZE);
5142 + kaddr[0] = 0x9DE3BFA8U; /* save */
5143 + flush_dcache_page(vmf->page);
5144 + kunmap(vmf->page);
5145 + return VM_FAULT_MAJOR;
5148 +static const struct vm_operations_struct pax_vm_ops = {
5149 + .close = pax_emuplt_close,
5150 + .fault = pax_emuplt_fault
5153 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5157 + vma->vm_mm = current->mm;
5158 + vma->vm_start = addr;
5159 + vma->vm_end = addr + PAGE_SIZE;
5160 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5161 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5162 + vma->vm_ops = &pax_vm_ops;
5164 + ret = insert_vm_struct(current->mm, vma);
5168 + ++current->mm->total_vm;
5174 + * PaX: decide what to do with offenders (regs->pc = fault address)
5176 + * returns 1 when task should be killed
5177 + * 2 when patched PLT trampoline was detected
5178 + * 3 when unpatched PLT trampoline was detected
5180 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5183 +#ifdef CONFIG_PAX_EMUPLT
5186 + do { /* PaX: patched PLT emulation #1 */
5187 + unsigned int sethi1, sethi2, jmpl;
5189 + err = get_user(sethi1, (unsigned int *)regs->pc);
5190 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5191 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5196 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5197 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5198 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5200 + unsigned int addr;
5202 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5203 + addr = regs->u_regs[UREG_G1];
5204 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5206 + regs->npc = addr+4;
5211 + { /* PaX: patched PLT emulation #2 */
5214 + err = get_user(ba, (unsigned int *)regs->pc);
5216 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5217 + unsigned int addr;
5219 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5221 + regs->npc = addr+4;
5226 + do { /* PaX: patched PLT emulation #3 */
5227 + unsigned int sethi, jmpl, nop;
5229 + err = get_user(sethi, (unsigned int *)regs->pc);
5230 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5231 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5236 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5237 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5238 + nop == 0x01000000U)
5240 + unsigned int addr;
5242 + addr = (sethi & 0x003FFFFFU) << 10;
5243 + regs->u_regs[UREG_G1] = addr;
5244 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5246 + regs->npc = addr+4;
5251 + do { /* PaX: unpatched PLT emulation step 1 */
5252 + unsigned int sethi, ba, nop;
5254 + err = get_user(sethi, (unsigned int *)regs->pc);
5255 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5256 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5261 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5262 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5263 + nop == 0x01000000U)
5265 + unsigned int addr, save, call;
5267 + if ((ba & 0xFFC00000U) == 0x30800000U)
5268 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5270 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5272 + err = get_user(save, (unsigned int *)addr);
5273 + err |= get_user(call, (unsigned int *)(addr+4));
5274 + err |= get_user(nop, (unsigned int *)(addr+8));
5278 +#ifdef CONFIG_PAX_DLRESOLVE
5279 + if (save == 0x9DE3BFA8U &&
5280 + (call & 0xC0000000U) == 0x40000000U &&
5281 + nop == 0x01000000U)
5283 + struct vm_area_struct *vma;
5284 + unsigned long call_dl_resolve;
5286 + down_read(¤t->mm->mmap_sem);
5287 + call_dl_resolve = current->mm->call_dl_resolve;
5288 + up_read(¤t->mm->mmap_sem);
5289 + if (likely(call_dl_resolve))
5292 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5294 + down_write(¤t->mm->mmap_sem);
5295 + if (current->mm->call_dl_resolve) {
5296 + call_dl_resolve = current->mm->call_dl_resolve;
5297 + up_write(¤t->mm->mmap_sem);
5299 + kmem_cache_free(vm_area_cachep, vma);
5303 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5304 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5305 + up_write(¤t->mm->mmap_sem);
5307 + kmem_cache_free(vm_area_cachep, vma);
5311 + if (pax_insert_vma(vma, call_dl_resolve)) {
5312 + up_write(¤t->mm->mmap_sem);
5313 + kmem_cache_free(vm_area_cachep, vma);
5317 + current->mm->call_dl_resolve = call_dl_resolve;
5318 + up_write(¤t->mm->mmap_sem);
5321 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5322 + regs->pc = call_dl_resolve;
5323 + regs->npc = addr+4;
5328 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5329 + if ((save & 0xFFC00000U) == 0x05000000U &&
5330 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5331 + nop == 0x01000000U)
5333 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5334 + regs->u_regs[UREG_G2] = addr + 4;
5335 + addr = (save & 0x003FFFFFU) << 10;
5336 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5338 + regs->npc = addr+4;
5344 + do { /* PaX: unpatched PLT emulation step 2 */
5345 + unsigned int save, call, nop;
5347 + err = get_user(save, (unsigned int *)(regs->pc-4));
5348 + err |= get_user(call, (unsigned int *)regs->pc);
5349 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5353 + if (save == 0x9DE3BFA8U &&
5354 + (call & 0xC0000000U) == 0x40000000U &&
5355 + nop == 0x01000000U)
5357 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5359 + regs->u_regs[UREG_RETPC] = regs->pc;
5360 + regs->pc = dl_resolve;
5361 + regs->npc = dl_resolve+4;
5370 +void pax_report_insns(void *pc, void *sp)
5374 + printk(KERN_ERR "PAX: bytes at PC: ");
5375 + for (i = 0; i < 8; i++) {
5377 + if (get_user(c, (unsigned int *)pc+i))
5378 + printk(KERN_CONT "???????? ");
5380 + printk(KERN_CONT "%08x ", c);
5386 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5387 unsigned long address)
5389 @@ -231,6 +495,24 @@ good_area:
5390 if(!(vma->vm_flags & VM_WRITE))
5394 +#ifdef CONFIG_PAX_PAGEEXEC
5395 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5396 + up_read(&mm->mmap_sem);
5397 + switch (pax_handle_fetch_fault(regs)) {
5399 +#ifdef CONFIG_PAX_EMUPLT
5406 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5407 + do_group_exit(SIGKILL);
5411 /* Allow reads even for write-only mappings */
5412 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5414 diff -urNp linux-2.6.32.43/arch/sparc/mm/fault_64.c linux-2.6.32.43/arch/sparc/mm/fault_64.c
5415 --- linux-2.6.32.43/arch/sparc/mm/fault_64.c 2011-03-27 14:31:47.000000000 -0400
5416 +++ linux-2.6.32.43/arch/sparc/mm/fault_64.c 2011-04-17 15:56:46.000000000 -0400
5418 #include <linux/kprobes.h>
5419 #include <linux/kdebug.h>
5420 #include <linux/percpu.h>
5421 +#include <linux/slab.h>
5422 +#include <linux/pagemap.h>
5423 +#include <linux/compiler.h>
5425 #include <asm/page.h>
5426 #include <asm/pgtable.h>
5427 @@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5428 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5430 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5431 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5432 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5433 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5435 unhandled_fault(regs->tpc, current, regs);
5436 @@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5440 +#ifdef CONFIG_PAX_PAGEEXEC
5441 +#ifdef CONFIG_PAX_DLRESOLVE
5442 +static void pax_emuplt_close(struct vm_area_struct *vma)
5444 + vma->vm_mm->call_dl_resolve = 0UL;
5447 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5449 + unsigned int *kaddr;
5451 + vmf->page = alloc_page(GFP_HIGHUSER);
5453 + return VM_FAULT_OOM;
5455 + kaddr = kmap(vmf->page);
5456 + memset(kaddr, 0, PAGE_SIZE);
5457 + kaddr[0] = 0x9DE3BFA8U; /* save */
5458 + flush_dcache_page(vmf->page);
5459 + kunmap(vmf->page);
5460 + return VM_FAULT_MAJOR;
5463 +static const struct vm_operations_struct pax_vm_ops = {
5464 + .close = pax_emuplt_close,
5465 + .fault = pax_emuplt_fault
5468 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5472 + vma->vm_mm = current->mm;
5473 + vma->vm_start = addr;
5474 + vma->vm_end = addr + PAGE_SIZE;
5475 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5476 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5477 + vma->vm_ops = &pax_vm_ops;
5479 + ret = insert_vm_struct(current->mm, vma);
5483 + ++current->mm->total_vm;
5489 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5491 + * returns 1 when task should be killed
5492 + * 2 when patched PLT trampoline was detected
5493 + * 3 when unpatched PLT trampoline was detected
5495 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5498 +#ifdef CONFIG_PAX_EMUPLT
5501 + do { /* PaX: patched PLT emulation #1 */
5502 + unsigned int sethi1, sethi2, jmpl;
5504 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5505 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5506 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5511 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5512 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5513 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5515 + unsigned long addr;
5517 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5518 + addr = regs->u_regs[UREG_G1];
5519 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5521 + if (test_thread_flag(TIF_32BIT))
5522 + addr &= 0xFFFFFFFFUL;
5525 + regs->tnpc = addr+4;
5530 + { /* PaX: patched PLT emulation #2 */
5533 + err = get_user(ba, (unsigned int *)regs->tpc);
5535 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5536 + unsigned long addr;
5538 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5540 + if (test_thread_flag(TIF_32BIT))
5541 + addr &= 0xFFFFFFFFUL;
5544 + regs->tnpc = addr+4;
5549 + do { /* PaX: patched PLT emulation #3 */
5550 + unsigned int sethi, jmpl, nop;
5552 + err = get_user(sethi, (unsigned int *)regs->tpc);
5553 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5554 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5559 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5560 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5561 + nop == 0x01000000U)
5563 + unsigned long addr;
5565 + addr = (sethi & 0x003FFFFFU) << 10;
5566 + regs->u_regs[UREG_G1] = addr;
5567 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5569 + if (test_thread_flag(TIF_32BIT))
5570 + addr &= 0xFFFFFFFFUL;
5573 + regs->tnpc = addr+4;
5578 + do { /* PaX: patched PLT emulation #4 */
5579 + unsigned int sethi, mov1, call, mov2;
5581 + err = get_user(sethi, (unsigned int *)regs->tpc);
5582 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5583 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5584 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5589 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5590 + mov1 == 0x8210000FU &&
5591 + (call & 0xC0000000U) == 0x40000000U &&
5592 + mov2 == 0x9E100001U)
5594 + unsigned long addr;
5596 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5597 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5599 + if (test_thread_flag(TIF_32BIT))
5600 + addr &= 0xFFFFFFFFUL;
5603 + regs->tnpc = addr+4;
5608 + do { /* PaX: patched PLT emulation #5 */
5609 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5611 + err = get_user(sethi, (unsigned int *)regs->tpc);
5612 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5613 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5614 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5615 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5616 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5617 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5618 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5623 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5624 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5625 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5626 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5627 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5628 + sllx == 0x83287020U &&
5629 + jmpl == 0x81C04005U &&
5630 + nop == 0x01000000U)
5632 + unsigned long addr;
5634 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5635 + regs->u_regs[UREG_G1] <<= 32;
5636 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5637 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5639 + regs->tnpc = addr+4;
5644 + do { /* PaX: patched PLT emulation #6 */
5645 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5647 + err = get_user(sethi, (unsigned int *)regs->tpc);
5648 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5649 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5650 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5651 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5652 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5653 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5658 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5659 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5660 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5661 + sllx == 0x83287020U &&
5662 + (or & 0xFFFFE000U) == 0x8A116000U &&
5663 + jmpl == 0x81C04005U &&
5664 + nop == 0x01000000U)
5666 + unsigned long addr;
5668 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5669 + regs->u_regs[UREG_G1] <<= 32;
5670 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5671 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5673 + regs->tnpc = addr+4;
5678 + do { /* PaX: unpatched PLT emulation step 1 */
5679 + unsigned int sethi, ba, nop;
5681 + err = get_user(sethi, (unsigned int *)regs->tpc);
5682 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5683 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5688 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5689 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5690 + nop == 0x01000000U)
5692 + unsigned long addr;
5693 + unsigned int save, call;
5694 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5696 + if ((ba & 0xFFC00000U) == 0x30800000U)
5697 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5699 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5701 + if (test_thread_flag(TIF_32BIT))
5702 + addr &= 0xFFFFFFFFUL;
5704 + err = get_user(save, (unsigned int *)addr);
5705 + err |= get_user(call, (unsigned int *)(addr+4));
5706 + err |= get_user(nop, (unsigned int *)(addr+8));
5710 +#ifdef CONFIG_PAX_DLRESOLVE
5711 + if (save == 0x9DE3BFA8U &&
5712 + (call & 0xC0000000U) == 0x40000000U &&
5713 + nop == 0x01000000U)
5715 + struct vm_area_struct *vma;
5716 + unsigned long call_dl_resolve;
5718 + down_read(¤t->mm->mmap_sem);
5719 + call_dl_resolve = current->mm->call_dl_resolve;
5720 + up_read(¤t->mm->mmap_sem);
5721 + if (likely(call_dl_resolve))
5724 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5726 + down_write(¤t->mm->mmap_sem);
5727 + if (current->mm->call_dl_resolve) {
5728 + call_dl_resolve = current->mm->call_dl_resolve;
5729 + up_write(¤t->mm->mmap_sem);
5731 + kmem_cache_free(vm_area_cachep, vma);
5735 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5736 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5737 + up_write(¤t->mm->mmap_sem);
5739 + kmem_cache_free(vm_area_cachep, vma);
5743 + if (pax_insert_vma(vma, call_dl_resolve)) {
5744 + up_write(¤t->mm->mmap_sem);
5745 + kmem_cache_free(vm_area_cachep, vma);
5749 + current->mm->call_dl_resolve = call_dl_resolve;
5750 + up_write(¤t->mm->mmap_sem);
5753 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5754 + regs->tpc = call_dl_resolve;
5755 + regs->tnpc = addr+4;
5760 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5761 + if ((save & 0xFFC00000U) == 0x05000000U &&
5762 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5763 + nop == 0x01000000U)
5765 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5766 + regs->u_regs[UREG_G2] = addr + 4;
5767 + addr = (save & 0x003FFFFFU) << 10;
5768 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5770 + if (test_thread_flag(TIF_32BIT))
5771 + addr &= 0xFFFFFFFFUL;
5774 + regs->tnpc = addr+4;
5778 + /* PaX: 64-bit PLT stub */
5779 + err = get_user(sethi1, (unsigned int *)addr);
5780 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5781 + err |= get_user(or1, (unsigned int *)(addr+8));
5782 + err |= get_user(or2, (unsigned int *)(addr+12));
5783 + err |= get_user(sllx, (unsigned int *)(addr+16));
5784 + err |= get_user(add, (unsigned int *)(addr+20));
5785 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5786 + err |= get_user(nop, (unsigned int *)(addr+28));
5790 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5791 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5792 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5793 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5794 + sllx == 0x89293020U &&
5795 + add == 0x8A010005U &&
5796 + jmpl == 0x89C14000U &&
5797 + nop == 0x01000000U)
5799 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5800 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5801 + regs->u_regs[UREG_G4] <<= 32;
5802 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5803 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5804 + regs->u_regs[UREG_G4] = addr + 24;
5805 + addr = regs->u_regs[UREG_G5];
5807 + regs->tnpc = addr+4;
5813 +#ifdef CONFIG_PAX_DLRESOLVE
5814 + do { /* PaX: unpatched PLT emulation step 2 */
5815 + unsigned int save, call, nop;
5817 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5818 + err |= get_user(call, (unsigned int *)regs->tpc);
5819 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5823 + if (save == 0x9DE3BFA8U &&
5824 + (call & 0xC0000000U) == 0x40000000U &&
5825 + nop == 0x01000000U)
5827 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5829 + if (test_thread_flag(TIF_32BIT))
5830 + dl_resolve &= 0xFFFFFFFFUL;
5832 + regs->u_regs[UREG_RETPC] = regs->tpc;
5833 + regs->tpc = dl_resolve;
5834 + regs->tnpc = dl_resolve+4;
5840 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5841 + unsigned int sethi, ba, nop;
5843 + err = get_user(sethi, (unsigned int *)regs->tpc);
5844 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5845 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5850 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5851 + (ba & 0xFFF00000U) == 0x30600000U &&
5852 + nop == 0x01000000U)
5854 + unsigned long addr;
5856 + addr = (sethi & 0x003FFFFFU) << 10;
5857 + regs->u_regs[UREG_G1] = addr;
5858 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5860 + if (test_thread_flag(TIF_32BIT))
5861 + addr &= 0xFFFFFFFFUL;
5864 + regs->tnpc = addr+4;
5874 +void pax_report_insns(void *pc, void *sp)
5878 + printk(KERN_ERR "PAX: bytes at PC: ");
5879 + for (i = 0; i < 8; i++) {
5881 + if (get_user(c, (unsigned int *)pc+i))
5882 + printk(KERN_CONT "???????? ");
5884 + printk(KERN_CONT "%08x ", c);
5890 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5892 struct mm_struct *mm = current->mm;
5893 @@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5897 +#ifdef CONFIG_PAX_PAGEEXEC
5898 + /* PaX: detect ITLB misses on non-exec pages */
5899 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5900 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5902 + if (address != regs->tpc)
5905 + up_read(&mm->mmap_sem);
5906 + switch (pax_handle_fetch_fault(regs)) {
5908 +#ifdef CONFIG_PAX_EMUPLT
5915 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5916 + do_group_exit(SIGKILL);
5920 /* Pure DTLB misses do not tell us whether the fault causing
5921 * load/store/atomic was a write or not, it only says that there
5922 * was no match. So in such a case we (carefully) read the
5923 diff -urNp linux-2.6.32.43/arch/sparc/mm/hugetlbpage.c linux-2.6.32.43/arch/sparc/mm/hugetlbpage.c
5924 --- linux-2.6.32.43/arch/sparc/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
5925 +++ linux-2.6.32.43/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
5926 @@ -69,7 +69,7 @@ full_search:
5930 - if (likely(!vma || addr + len <= vma->vm_start)) {
5931 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5933 * Remember the place where we stopped the search:
5935 @@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
5936 /* make sure it can fit in the remaining address space */
5937 if (likely(addr > len)) {
5938 vma = find_vma(mm, addr-len);
5939 - if (!vma || addr <= vma->vm_start) {
5940 + if (check_heap_stack_gap(vma, addr - len, len)) {
5941 /* remember the address as a hint for next time */
5942 return (mm->free_area_cache = addr-len);
5944 @@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
5945 if (unlikely(mm->mmap_base < len))
5948 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5949 + addr = mm->mmap_base - len;
5952 + addr &= HPAGE_MASK;
5954 * Lookup failure means no vma is above this address,
5955 * else if new region fits below vma->vm_start,
5956 * return with success:
5958 vma = find_vma(mm, addr);
5959 - if (likely(!vma || addr+len <= vma->vm_start)) {
5960 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5961 /* remember the address as a hint for next time */
5962 return (mm->free_area_cache = addr);
5964 @@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
5965 mm->cached_hole_size = vma->vm_start - addr;
5967 /* try just below the current vma->vm_start */
5968 - addr = (vma->vm_start-len) & HPAGE_MASK;
5969 - } while (likely(len < vma->vm_start));
5970 + addr = skip_heap_stack_gap(vma, len);
5971 + } while (!IS_ERR_VALUE(addr));
5975 @@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
5977 addr = ALIGN(addr, HPAGE_SIZE);
5978 vma = find_vma(mm, addr);
5979 - if (task_size - len >= addr &&
5980 - (!vma || addr + len <= vma->vm_start))
5981 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5984 if (mm->get_unmapped_area == arch_get_unmapped_area)
5985 diff -urNp linux-2.6.32.43/arch/sparc/mm/init_32.c linux-2.6.32.43/arch/sparc/mm/init_32.c
5986 --- linux-2.6.32.43/arch/sparc/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
5987 +++ linux-2.6.32.43/arch/sparc/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
5988 @@ -317,6 +317,9 @@ extern void device_scan(void);
5989 pgprot_t PAGE_SHARED __read_mostly;
5990 EXPORT_SYMBOL(PAGE_SHARED);
5992 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5993 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5995 void __init paging_init(void)
5997 switch(sparc_cpu_model) {
5998 @@ -345,17 +348,17 @@ void __init paging_init(void)
6000 /* Initialize the protection map with non-constant, MMU dependent values. */
6001 protection_map[0] = PAGE_NONE;
6002 - protection_map[1] = PAGE_READONLY;
6003 - protection_map[2] = PAGE_COPY;
6004 - protection_map[3] = PAGE_COPY;
6005 + protection_map[1] = PAGE_READONLY_NOEXEC;
6006 + protection_map[2] = PAGE_COPY_NOEXEC;
6007 + protection_map[3] = PAGE_COPY_NOEXEC;
6008 protection_map[4] = PAGE_READONLY;
6009 protection_map[5] = PAGE_READONLY;
6010 protection_map[6] = PAGE_COPY;
6011 protection_map[7] = PAGE_COPY;
6012 protection_map[8] = PAGE_NONE;
6013 - protection_map[9] = PAGE_READONLY;
6014 - protection_map[10] = PAGE_SHARED;
6015 - protection_map[11] = PAGE_SHARED;
6016 + protection_map[9] = PAGE_READONLY_NOEXEC;
6017 + protection_map[10] = PAGE_SHARED_NOEXEC;
6018 + protection_map[11] = PAGE_SHARED_NOEXEC;
6019 protection_map[12] = PAGE_READONLY;
6020 protection_map[13] = PAGE_READONLY;
6021 protection_map[14] = PAGE_SHARED;
6022 diff -urNp linux-2.6.32.43/arch/sparc/mm/Makefile linux-2.6.32.43/arch/sparc/mm/Makefile
6023 --- linux-2.6.32.43/arch/sparc/mm/Makefile 2011-03-27 14:31:47.000000000 -0400
6024 +++ linux-2.6.32.43/arch/sparc/mm/Makefile 2011-04-17 15:56:46.000000000 -0400
6029 -ccflags-y := -Werror
6030 +#ccflags-y := -Werror
6032 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
6033 obj-y += fault_$(BITS).o
6034 diff -urNp linux-2.6.32.43/arch/sparc/mm/srmmu.c linux-2.6.32.43/arch/sparc/mm/srmmu.c
6035 --- linux-2.6.32.43/arch/sparc/mm/srmmu.c 2011-03-27 14:31:47.000000000 -0400
6036 +++ linux-2.6.32.43/arch/sparc/mm/srmmu.c 2011-04-17 15:56:46.000000000 -0400
6037 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6038 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6039 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6040 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6042 +#ifdef CONFIG_PAX_PAGEEXEC
6043 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6044 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6045 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6048 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6049 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6051 diff -urNp linux-2.6.32.43/arch/um/include/asm/kmap_types.h linux-2.6.32.43/arch/um/include/asm/kmap_types.h
6052 --- linux-2.6.32.43/arch/um/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
6053 +++ linux-2.6.32.43/arch/um/include/asm/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
6054 @@ -23,6 +23,7 @@ enum km_type {
6062 diff -urNp linux-2.6.32.43/arch/um/include/asm/page.h linux-2.6.32.43/arch/um/include/asm/page.h
6063 --- linux-2.6.32.43/arch/um/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
6064 +++ linux-2.6.32.43/arch/um/include/asm/page.h 2011-04-17 15:56:46.000000000 -0400
6066 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6067 #define PAGE_MASK (~(PAGE_SIZE-1))
6069 +#define ktla_ktva(addr) (addr)
6070 +#define ktva_ktla(addr) (addr)
6072 #ifndef __ASSEMBLY__
6075 diff -urNp linux-2.6.32.43/arch/um/kernel/process.c linux-2.6.32.43/arch/um/kernel/process.c
6076 --- linux-2.6.32.43/arch/um/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
6077 +++ linux-2.6.32.43/arch/um/kernel/process.c 2011-04-17 15:56:46.000000000 -0400
6078 @@ -393,22 +393,6 @@ int singlestepping(void * t)
6083 - * Only x86 and x86_64 have an arch_align_stack().
6084 - * All other arches have "#define arch_align_stack(x) (x)"
6085 - * in their asm/system.h
6086 - * As this is included in UML from asm-um/system-generic.h,
6087 - * we can use it to behave as the subarch does.
6089 -#ifndef arch_align_stack
6090 -unsigned long arch_align_stack(unsigned long sp)
6092 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6093 - sp -= get_random_int() % 8192;
6098 unsigned long get_wchan(struct task_struct *p)
6100 unsigned long stack_page, sp, ip;
6101 diff -urNp linux-2.6.32.43/arch/um/sys-i386/syscalls.c linux-2.6.32.43/arch/um/sys-i386/syscalls.c
6102 --- linux-2.6.32.43/arch/um/sys-i386/syscalls.c 2011-03-27 14:31:47.000000000 -0400
6103 +++ linux-2.6.32.43/arch/um/sys-i386/syscalls.c 2011-04-17 15:56:46.000000000 -0400
6105 #include "asm/uaccess.h"
6106 #include "asm/unistd.h"
6108 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6110 + unsigned long pax_task_size = TASK_SIZE;
6112 +#ifdef CONFIG_PAX_SEGMEXEC
6113 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6114 + pax_task_size = SEGMEXEC_TASK_SIZE;
6117 + if (len > pax_task_size || addr > pax_task_size - len)
6124 * Perform the select(nd, in, out, ex, tv) and mmap() system
6125 * calls. Linux/i386 didn't use to be able to handle more than
6126 diff -urNp linux-2.6.32.43/arch/x86/boot/bitops.h linux-2.6.32.43/arch/x86/boot/bitops.h
6127 --- linux-2.6.32.43/arch/x86/boot/bitops.h 2011-03-27 14:31:47.000000000 -0400
6128 +++ linux-2.6.32.43/arch/x86/boot/bitops.h 2011-04-17 15:56:46.000000000 -0400
6129 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
6131 const u32 *p = (const u32 *)addr;
6133 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6134 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6138 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
6140 static inline void set_bit(int nr, void *addr)
6142 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6143 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6146 #endif /* BOOT_BITOPS_H */
6147 diff -urNp linux-2.6.32.43/arch/x86/boot/boot.h linux-2.6.32.43/arch/x86/boot/boot.h
6148 --- linux-2.6.32.43/arch/x86/boot/boot.h 2011-03-27 14:31:47.000000000 -0400
6149 +++ linux-2.6.32.43/arch/x86/boot/boot.h 2011-04-17 15:56:46.000000000 -0400
6150 @@ -82,7 +82,7 @@ static inline void io_delay(void)
6151 static inline u16 ds(void)
6154 - asm("movw %%ds,%0" : "=rm" (seg));
6155 + asm volatile("movw %%ds,%0" : "=rm" (seg));
6159 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
6160 static inline int memcmp(const void *s1, const void *s2, size_t len)
6163 - asm("repe; cmpsb; setnz %0"
6164 + asm volatile("repe; cmpsb; setnz %0"
6165 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
6168 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/head_32.S linux-2.6.32.43/arch/x86/boot/compressed/head_32.S
6169 --- linux-2.6.32.43/arch/x86/boot/compressed/head_32.S 2011-03-27 14:31:47.000000000 -0400
6170 +++ linux-2.6.32.43/arch/x86/boot/compressed/head_32.S 2011-04-17 15:56:46.000000000 -0400
6171 @@ -76,7 +76,7 @@ ENTRY(startup_32)
6175 - movl $LOAD_PHYSICAL_ADDR, %ebx
6176 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6179 /* Target address to relocate to for decompression */
6180 @@ -149,7 +149,7 @@ relocated:
6181 * and where it was actually loaded.
6184 - subl $LOAD_PHYSICAL_ADDR, %ebx
6185 + subl $____LOAD_PHYSICAL_ADDR, %ebx
6186 jz 2f /* Nothing to be done if loaded at compiled addr. */
6188 * Process relocations.
6189 @@ -157,8 +157,7 @@ relocated:
6196 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6199 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/head_64.S linux-2.6.32.43/arch/x86/boot/compressed/head_64.S
6200 --- linux-2.6.32.43/arch/x86/boot/compressed/head_64.S 2011-03-27 14:31:47.000000000 -0400
6201 +++ linux-2.6.32.43/arch/x86/boot/compressed/head_64.S 2011-07-01 18:53:00.000000000 -0400
6202 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6206 - movl $LOAD_PHYSICAL_ADDR, %ebx
6207 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6210 /* Target address to relocate to for decompression */
6211 @@ -183,7 +183,7 @@ no_longmode:
6215 -#include "../../kernel/verify_cpu_64.S"
6216 +#include "../../kernel/verify_cpu.S"
6219 * Be careful here startup_64 needs to be at a predictable
6220 @@ -234,7 +234,7 @@ ENTRY(startup_64)
6224 - movq $LOAD_PHYSICAL_ADDR, %rbp
6225 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6228 /* Target address to relocate to for decompression */
6229 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/Makefile linux-2.6.32.43/arch/x86/boot/compressed/Makefile
6230 --- linux-2.6.32.43/arch/x86/boot/compressed/Makefile 2011-03-27 14:31:47.000000000 -0400
6231 +++ linux-2.6.32.43/arch/x86/boot/compressed/Makefile 2011-08-05 20:33:55.000000000 -0400
6232 @@ -13,6 +13,7 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
6233 KBUILD_CFLAGS += $(cflags-y)
6234 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
6235 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
6236 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6238 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6240 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/misc.c linux-2.6.32.43/arch/x86/boot/compressed/misc.c
6241 --- linux-2.6.32.43/arch/x86/boot/compressed/misc.c 2011-03-27 14:31:47.000000000 -0400
6242 +++ linux-2.6.32.43/arch/x86/boot/compressed/misc.c 2011-04-17 15:56:46.000000000 -0400
6243 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
6245 #ifdef CONFIG_RELOCATABLE
6247 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6248 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6250 dest = (void *)(phdr->p_paddr);
6252 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6253 error("Destination address too large");
6255 #ifndef CONFIG_RELOCATABLE
6256 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6257 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6258 error("Wrong destination address");
6261 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.43/arch/x86/boot/compressed/mkpiggy.c
6262 --- linux-2.6.32.43/arch/x86/boot/compressed/mkpiggy.c 2011-03-27 14:31:47.000000000 -0400
6263 +++ linux-2.6.32.43/arch/x86/boot/compressed/mkpiggy.c 2011-04-17 15:56:46.000000000 -0400
6264 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6266 offs = (olen > ilen) ? olen - ilen : 0;
6267 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6268 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6269 + offs += 64*1024; /* Add 64K bytes slack */
6270 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6272 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6273 diff -urNp linux-2.6.32.43/arch/x86/boot/compressed/relocs.c linux-2.6.32.43/arch/x86/boot/compressed/relocs.c
6274 --- linux-2.6.32.43/arch/x86/boot/compressed/relocs.c 2011-03-27 14:31:47.000000000 -0400
6275 +++ linux-2.6.32.43/arch/x86/boot/compressed/relocs.c 2011-04-17 15:56:46.000000000 -0400
6280 +#include "../../../../include/linux/autoconf.h"
6282 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6283 static Elf32_Ehdr ehdr;
6284 +static Elf32_Phdr *phdr;
6285 static unsigned long reloc_count, reloc_idx;
6286 static unsigned long *relocs;
6288 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6290 static int is_safe_abs_reloc(const char* sym_name)
6295 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6296 if (!strcmp(sym_name, safe_abs_relocs[i]))
6297 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6301 +static void read_phdrs(FILE *fp)
6305 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6307 + die("Unable to allocate %d program headers\n",
6310 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6311 + die("Seek to %d failed: %s\n",
6312 + ehdr.e_phoff, strerror(errno));
6314 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6315 + die("Cannot read ELF program headers: %s\n",
6318 + for(i = 0; i < ehdr.e_phnum; i++) {
6319 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6320 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6321 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6322 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6323 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6324 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6325 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6326 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6331 static void read_shdrs(FILE *fp)
6337 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6338 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6340 static void read_strtabs(FILE *fp)
6344 for (i = 0; i < ehdr.e_shnum; i++) {
6345 struct section *sec = &secs[i];
6346 if (sec->shdr.sh_type != SHT_STRTAB) {
6347 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6349 static void read_symtabs(FILE *fp)
6353 for (i = 0; i < ehdr.e_shnum; i++) {
6354 struct section *sec = &secs[i];
6355 if (sec->shdr.sh_type != SHT_SYMTAB) {
6356 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6358 static void read_relocs(FILE *fp)
6364 for (i = 0; i < ehdr.e_shnum; i++) {
6365 struct section *sec = &secs[i];
6366 if (sec->shdr.sh_type != SHT_REL) {
6367 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6368 die("Cannot read symbol table: %s\n",
6372 + for (j = 0; j < ehdr.e_phnum; j++) {
6373 + if (phdr[j].p_type != PT_LOAD )
6375 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6377 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6380 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6381 Elf32_Rel *rel = &sec->reltab[j];
6382 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6383 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6384 rel->r_info = elf32_to_cpu(rel->r_info);
6387 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6389 static void print_absolute_symbols(void)
6393 printf("Absolute symbols\n");
6394 printf(" Num: Value Size Type Bind Visibility Name\n");
6395 for (i = 0; i < ehdr.e_shnum; i++) {
6396 struct section *sec = &secs[i];
6398 Elf32_Sym *sh_symtab;
6402 if (sec->shdr.sh_type != SHT_SYMTAB) {
6404 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6406 static void print_absolute_relocs(void)
6408 - int i, printed = 0;
6409 + unsigned int i, printed = 0;
6411 for (i = 0; i < ehdr.e_shnum; i++) {
6412 struct section *sec = &secs[i];
6413 struct section *sec_applies, *sec_symtab;
6415 Elf32_Sym *sh_symtab;
6418 if (sec->shdr.sh_type != SHT_REL) {
6421 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6423 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6427 /* Walk through the relocations */
6428 for (i = 0; i < ehdr.e_shnum; i++) {
6430 Elf32_Sym *sh_symtab;
6431 struct section *sec_applies, *sec_symtab;
6434 struct section *sec = &secs[i];
6436 if (sec->shdr.sh_type != SHT_REL) {
6437 @@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6438 if (sym->st_shndx == SHN_ABS) {
6441 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6442 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6445 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6446 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6447 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6449 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6451 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6453 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6456 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6458 * NONE can be ignored and and PC relative
6459 @@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6461 static void emit_relocs(int as_text)
6465 /* Count how many relocations I have and allocate space for them. */
6467 walk_relocs(count_reloc);
6468 @@ -634,6 +693,7 @@ int main(int argc, char **argv)
6469 fname, strerror(errno));
6476 diff -urNp linux-2.6.32.43/arch/x86/boot/cpucheck.c linux-2.6.32.43/arch/x86/boot/cpucheck.c
6477 --- linux-2.6.32.43/arch/x86/boot/cpucheck.c 2011-03-27 14:31:47.000000000 -0400
6478 +++ linux-2.6.32.43/arch/x86/boot/cpucheck.c 2011-04-17 15:56:46.000000000 -0400
6479 @@ -74,7 +74,7 @@ static int has_fpu(void)
6480 u16 fcw = -1, fsw = -1;
6483 - asm("movl %%cr0,%0" : "=r" (cr0));
6484 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6485 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6486 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6487 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6488 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6493 + asm volatile("pushfl ; "
6497 @@ -115,7 +115,7 @@ static void get_flags(void)
6498 set_bit(X86_FEATURE_FPU, cpu.flags);
6500 if (has_eflag(X86_EFLAGS_ID)) {
6502 + asm volatile("cpuid"
6503 : "=a" (max_intel_level),
6504 "=b" (cpu_vendor[0]),
6505 "=d" (cpu_vendor[1]),
6506 @@ -124,7 +124,7 @@ static void get_flags(void)
6508 if (max_intel_level >= 0x00000001 &&
6509 max_intel_level <= 0x0000ffff) {
6511 + asm volatile("cpuid"
6513 "=c" (cpu.flags[4]),
6515 @@ -136,7 +136,7 @@ static void get_flags(void)
6516 cpu.model += ((tfms >> 16) & 0xf) << 4;
6520 + asm volatile("cpuid"
6521 : "=a" (max_amd_level)
6523 : "ebx", "ecx", "edx");
6524 @@ -144,7 +144,7 @@ static void get_flags(void)
6525 if (max_amd_level >= 0x80000001 &&
6526 max_amd_level <= 0x8000ffff) {
6527 u32 eax = 0x80000001;
6529 + asm volatile("cpuid"
6531 "=c" (cpu.flags[6]),
6533 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6534 u32 ecx = MSR_K7_HWCR;
6537 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6538 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6540 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6541 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6543 get_flags(); /* Make sure it really did something */
6544 err = check_flags();
6545 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6546 u32 ecx = MSR_VIA_FCR;
6549 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6550 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6551 eax |= (1<<1)|(1<<7);
6552 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6553 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6555 set_bit(X86_FEATURE_CX8, cpu.flags);
6556 err = check_flags();
6557 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6561 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6562 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6564 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6565 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6566 + asm volatile("cpuid"
6567 : "+a" (level), "=d" (cpu.flags[0])
6569 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6570 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6572 err = check_flags();
6574 diff -urNp linux-2.6.32.43/arch/x86/boot/header.S linux-2.6.32.43/arch/x86/boot/header.S
6575 --- linux-2.6.32.43/arch/x86/boot/header.S 2011-03-27 14:31:47.000000000 -0400
6576 +++ linux-2.6.32.43/arch/x86/boot/header.S 2011-04-17 15:56:46.000000000 -0400
6577 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6578 # single linked list of
6581 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6582 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6584 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6585 #define VO_INIT_SIZE (VO__end - VO__text)
6586 diff -urNp linux-2.6.32.43/arch/x86/boot/Makefile linux-2.6.32.43/arch/x86/boot/Makefile
6587 --- linux-2.6.32.43/arch/x86/boot/Makefile 2011-03-27 14:31:47.000000000 -0400
6588 +++ linux-2.6.32.43/arch/x86/boot/Makefile 2011-08-05 20:33:55.000000000 -0400
6589 @@ -69,6 +69,7 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
6590 $(call cc-option, -fno-stack-protector) \
6591 $(call cc-option, -mpreferred-stack-boundary=2)
6592 KBUILD_CFLAGS += $(call cc-option, -m32)
6593 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6594 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6597 diff -urNp linux-2.6.32.43/arch/x86/boot/memory.c linux-2.6.32.43/arch/x86/boot/memory.c
6598 --- linux-2.6.32.43/arch/x86/boot/memory.c 2011-03-27 14:31:47.000000000 -0400
6599 +++ linux-2.6.32.43/arch/x86/boot/memory.c 2011-04-17 15:56:46.000000000 -0400
6602 static int detect_memory_e820(void)
6605 + unsigned int count = 0;
6606 struct biosregs ireg, oreg;
6607 struct e820entry *desc = boot_params.e820_map;
6608 static struct e820entry buf; /* static so it is zeroed */
6609 diff -urNp linux-2.6.32.43/arch/x86/boot/video.c linux-2.6.32.43/arch/x86/boot/video.c
6610 --- linux-2.6.32.43/arch/x86/boot/video.c 2011-03-27 14:31:47.000000000 -0400
6611 +++ linux-2.6.32.43/arch/x86/boot/video.c 2011-04-17 15:56:46.000000000 -0400
6612 @@ -90,7 +90,7 @@ static void store_mode_params(void)
6613 static unsigned int get_entry(void)
6617 + unsigned int i, len = 0;
6621 diff -urNp linux-2.6.32.43/arch/x86/boot/video-vesa.c linux-2.6.32.43/arch/x86/boot/video-vesa.c
6622 --- linux-2.6.32.43/arch/x86/boot/video-vesa.c 2011-03-27 14:31:47.000000000 -0400
6623 +++ linux-2.6.32.43/arch/x86/boot/video-vesa.c 2011-04-17 15:56:46.000000000 -0400
6624 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6626 boot_params.screen_info.vesapm_seg = oreg.es;
6627 boot_params.screen_info.vesapm_off = oreg.di;
6628 + boot_params.screen_info.vesapm_size = oreg.cx;
6632 diff -urNp linux-2.6.32.43/arch/x86/ia32/ia32_aout.c linux-2.6.32.43/arch/x86/ia32/ia32_aout.c
6633 --- linux-2.6.32.43/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400
6634 +++ linux-2.6.32.43/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400
6635 @@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6636 unsigned long dump_start, dump_size;
6639 + memset(&dump, 0, sizeof(dump));
6644 @@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6645 dump_size = dump.u_ssize << PAGE_SHIFT;
6646 DUMP_WRITE(dump_start, dump_size);
6649 - * Finally dump the task struct. Not be used by gdb, but
6652 - set_fs(KERNEL_DS);
6653 - DUMP_WRITE(current, sizeof(*current));
6657 diff -urNp linux-2.6.32.43/arch/x86/ia32/ia32entry.S linux-2.6.32.43/arch/x86/ia32/ia32entry.S
6658 --- linux-2.6.32.43/arch/x86/ia32/ia32entry.S 2011-03-27 14:31:47.000000000 -0400
6659 +++ linux-2.6.32.43/arch/x86/ia32/ia32entry.S 2011-06-04 20:29:52.000000000 -0400
6661 #include <asm/thread_info.h>
6662 #include <asm/segment.h>
6663 #include <asm/irqflags.h>
6664 +#include <asm/pgtable.h>
6665 #include <linux/linkage.h>
6667 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6668 @@ -93,6 +94,30 @@ ENTRY(native_irq_enable_sysexit)
6669 ENDPROC(native_irq_enable_sysexit)
6672 + .macro pax_enter_kernel_user
6673 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6674 + call pax_enter_kernel_user
6678 + .macro pax_exit_kernel_user
6679 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6680 + call pax_exit_kernel_user
6682 +#ifdef CONFIG_PAX_RANDKSTACK
6684 + call pax_randomize_kstack
6690 +.macro pax_erase_kstack
6691 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6692 + call pax_erase_kstack
6697 * 32bit SYSENTER instruction entry.
6699 @@ -119,7 +144,7 @@ ENTRY(ia32_sysenter_target)
6700 CFI_REGISTER rsp,rbp
6702 movq PER_CPU_VAR(kernel_stack), %rsp
6703 - addq $(KERNEL_STACK_OFFSET),%rsp
6704 + pax_enter_kernel_user
6706 * No need to follow this irqs on/off section: the syscall
6707 * disabled irqs, here we enable it straight after entry:
6708 @@ -135,7 +160,8 @@ ENTRY(ia32_sysenter_target)
6710 CFI_ADJUST_CFA_OFFSET 8
6711 /*CFI_REL_OFFSET rflags,0*/
6712 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6713 + GET_THREAD_INFO(%r10)
6714 + movl TI_sysenter_return(%r10), %r10d
6715 CFI_REGISTER rip,r10
6717 CFI_ADJUST_CFA_OFFSET 8
6718 @@ -150,6 +176,12 @@ ENTRY(ia32_sysenter_target)
6720 /* no need to do an access_ok check here because rbp has been
6721 32bit zero extended */
6723 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6724 + mov $PAX_USER_SHADOW_BASE,%r10
6729 .section __ex_table,"a"
6730 .quad 1b,ia32_badarg
6731 @@ -172,6 +204,7 @@ sysenter_dispatch:
6732 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6734 sysexit_from_sys_call:
6735 + pax_exit_kernel_user
6736 andl $~TS_COMPAT,TI_status(%r10)
6737 /* clear IF, that popfq doesn't enable interrupts early */
6738 andl $~0x200,EFLAGS-R11(%rsp)
6739 @@ -200,6 +233,9 @@ sysexit_from_sys_call:
6740 movl %eax,%esi /* 2nd arg: syscall number */
6741 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6742 call audit_syscall_entry
6746 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6747 cmpq $(IA32_NR_syscalls-1),%rax
6749 @@ -252,6 +288,9 @@ sysenter_tracesys:
6750 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6751 movq %rsp,%rdi /* &pt_regs -> arg1 */
6752 call syscall_trace_enter
6756 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6758 cmpq $(IA32_NR_syscalls-1),%rax
6759 @@ -283,19 +322,24 @@ ENDPROC(ia32_sysenter_target)
6760 ENTRY(ia32_cstar_target)
6761 CFI_STARTPROC32 simple
6763 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6765 CFI_REGISTER rip,rcx
6766 /*CFI_REGISTER rflags,r11*/
6770 movq PER_CPU_VAR(kernel_stack),%rsp
6772 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6773 + pax_enter_kernel_user
6777 * No need to follow this irqs on/off section: the syscall
6778 * disabled irqs and here we enable it straight after entry:
6780 ENABLE_INTERRUPTS(CLBR_NONE)
6783 movl %eax,%eax /* zero extension */
6784 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6785 movq %rcx,RIP-ARGOFFSET(%rsp)
6786 @@ -311,6 +355,12 @@ ENTRY(ia32_cstar_target)
6787 /* no need to do an access_ok check here because r8 has been
6788 32bit zero extended */
6789 /* hardware stack frame is complete now */
6791 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6792 + mov $PAX_USER_SHADOW_BASE,%r10
6797 .section __ex_table,"a"
6798 .quad 1b,ia32_badarg
6799 @@ -333,6 +383,7 @@ cstar_dispatch:
6800 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6802 sysretl_from_sys_call:
6803 + pax_exit_kernel_user
6804 andl $~TS_COMPAT,TI_status(%r10)
6805 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6806 movl RIP-ARGOFFSET(%rsp),%ecx
6807 @@ -370,6 +421,9 @@ cstar_tracesys:
6808 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6809 movq %rsp,%rdi /* &pt_regs -> arg1 */
6810 call syscall_trace_enter
6814 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6817 @@ -415,6 +469,7 @@ ENTRY(ia32_syscall)
6818 CFI_REL_OFFSET rip,RIP-RIP
6819 PARAVIRT_ADJUST_EXCEPTION_FRAME
6821 + pax_enter_kernel_user
6823 * No need to follow this irqs on/off section: the syscall
6824 * disabled irqs and here we enable it straight after entry:
6825 @@ -448,6 +503,9 @@ ia32_tracesys:
6826 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6827 movq %rsp,%rdi /* &pt_regs -> arg1 */
6828 call syscall_trace_enter
6832 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6834 cmpq $(IA32_NR_syscalls-1),%rax
6835 diff -urNp linux-2.6.32.43/arch/x86/ia32/ia32_signal.c linux-2.6.32.43/arch/x86/ia32/ia32_signal.c
6836 --- linux-2.6.32.43/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400
6837 +++ linux-2.6.32.43/arch/x86/ia32/ia32_signal.c 2011-04-17 15:56:46.000000000 -0400
6838 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6840 /* Align the stack pointer according to the i386 ABI,
6841 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6842 - sp = ((sp + 4) & -16ul) - 4;
6843 + sp = ((sp - 12) & -16ul) - 4;
6844 return (void __user *) sp;
6847 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6848 * These are actually not used anymore, but left because some
6849 * gdb versions depend on them as a marker.
6851 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6852 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6853 } put_user_catch(err);
6856 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6858 __NR_ia32_rt_sigreturn,
6864 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6865 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6867 if (ka->sa.sa_flags & SA_RESTORER)
6868 restorer = ka->sa.sa_restorer;
6869 + else if (current->mm->context.vdso)
6870 + /* Return stub is in 32bit vsyscall page */
6871 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6873 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6875 + restorer = &frame->retcode;
6876 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6879 * Not actually used anymore, but left because some gdb
6882 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6883 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6884 } put_user_catch(err);
6887 diff -urNp linux-2.6.32.43/arch/x86/include/asm/alternative.h linux-2.6.32.43/arch/x86/include/asm/alternative.h
6888 --- linux-2.6.32.43/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400
6889 +++ linux-2.6.32.43/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400
6890 @@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
6891 " .byte 662b-661b\n" /* sourcelen */ \
6892 " .byte 664f-663f\n" /* replacementlen */ \
6894 - ".section .altinstr_replacement, \"ax\"\n" \
6895 + ".section .altinstr_replacement, \"a\"\n" \
6896 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6899 diff -urNp linux-2.6.32.43/arch/x86/include/asm/apm.h linux-2.6.32.43/arch/x86/include/asm/apm.h
6900 --- linux-2.6.32.43/arch/x86/include/asm/apm.h 2011-03-27 14:31:47.000000000 -0400
6901 +++ linux-2.6.32.43/arch/x86/include/asm/apm.h 2011-04-17 15:56:46.000000000 -0400
6902 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6903 __asm__ __volatile__(APM_DO_ZERO_SEGS
6906 - "lcall *%%cs:apm_bios_entry\n\t"
6907 + "lcall *%%ss:apm_bios_entry\n\t"
6911 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6912 __asm__ __volatile__(APM_DO_ZERO_SEGS
6915 - "lcall *%%cs:apm_bios_entry\n\t"
6916 + "lcall *%%ss:apm_bios_entry\n\t"
6920 diff -urNp linux-2.6.32.43/arch/x86/include/asm/atomic_32.h linux-2.6.32.43/arch/x86/include/asm/atomic_32.h
6921 --- linux-2.6.32.43/arch/x86/include/asm/atomic_32.h 2011-03-27 14:31:47.000000000 -0400
6922 +++ linux-2.6.32.43/arch/x86/include/asm/atomic_32.h 2011-05-04 17:56:20.000000000 -0400
6923 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
6927 + * atomic_read_unchecked - read atomic variable
6928 + * @v: pointer of type atomic_unchecked_t
6930 + * Atomically reads the value of @v.
6932 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6934 + return v->counter;
6938 * atomic_set - set atomic variable
6939 * @v: pointer of type atomic_t
6940 * @i: required value
6941 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
6945 + * atomic_set_unchecked - set atomic variable
6946 + * @v: pointer of type atomic_unchecked_t
6947 + * @i: required value
6949 + * Atomically sets the value of @v to @i.
6951 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6957 * atomic_add - add integer to atomic variable
6958 * @i: integer value to add
6959 * @v: pointer of type atomic_t
6960 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
6962 static inline void atomic_add(int i, atomic_t *v)
6964 - asm volatile(LOCK_PREFIX "addl %1,%0"
6965 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6967 +#ifdef CONFIG_PAX_REFCOUNT
6969 + LOCK_PREFIX "subl %1,%0\n"
6971 + _ASM_EXTABLE(0b, 0b)
6974 + : "+m" (v->counter)
6979 + * atomic_add_unchecked - add integer to atomic variable
6980 + * @i: integer value to add
6981 + * @v: pointer of type atomic_unchecked_t
6983 + * Atomically adds @i to @v.
6985 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6987 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6991 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
6993 static inline void atomic_sub(int i, atomic_t *v)
6995 - asm volatile(LOCK_PREFIX "subl %1,%0"
6996 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6998 +#ifdef CONFIG_PAX_REFCOUNT
7000 + LOCK_PREFIX "addl %1,%0\n"
7002 + _ASM_EXTABLE(0b, 0b)
7005 + : "+m" (v->counter)
7010 + * atomic_sub_unchecked - subtract integer from atomic variable
7011 + * @i: integer value to subtract
7012 + * @v: pointer of type atomic_unchecked_t
7014 + * Atomically subtracts @i from @v.
7016 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7018 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7022 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
7026 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7027 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7029 +#ifdef CONFIG_PAX_REFCOUNT
7031 + LOCK_PREFIX "addl %2,%0\n"
7033 + _ASM_EXTABLE(0b, 0b)
7037 : "+m" (v->counter), "=qm" (c)
7038 : "ir" (i) : "memory");
7040 @@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
7042 static inline void atomic_inc(atomic_t *v)
7044 - asm volatile(LOCK_PREFIX "incl %0"
7045 + asm volatile(LOCK_PREFIX "incl %0\n"
7047 +#ifdef CONFIG_PAX_REFCOUNT
7049 + LOCK_PREFIX "decl %0\n"
7051 + _ASM_EXTABLE(0b, 0b)
7054 + : "+m" (v->counter));
7058 + * atomic_inc_unchecked - increment atomic variable
7059 + * @v: pointer of type atomic_unchecked_t
7061 + * Atomically increments @v by 1.
7063 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7065 + asm volatile(LOCK_PREFIX "incl %0\n"
7066 : "+m" (v->counter));
7069 @@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
7071 static inline void atomic_dec(atomic_t *v)
7073 - asm volatile(LOCK_PREFIX "decl %0"
7074 + asm volatile(LOCK_PREFIX "decl %0\n"
7076 +#ifdef CONFIG_PAX_REFCOUNT
7078 + LOCK_PREFIX "incl %0\n"
7080 + _ASM_EXTABLE(0b, 0b)
7083 + : "+m" (v->counter));
7087 + * atomic_dec_unchecked - decrement atomic variable
7088 + * @v: pointer of type atomic_unchecked_t
7090 + * Atomically decrements @v by 1.
7092 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7094 + asm volatile(LOCK_PREFIX "decl %0\n"
7095 : "+m" (v->counter));
7098 @@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
7102 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7103 + asm volatile(LOCK_PREFIX "decl %0\n"
7105 +#ifdef CONFIG_PAX_REFCOUNT
7107 + LOCK_PREFIX "incl %0\n"
7109 + _ASM_EXTABLE(0b, 0b)
7113 : "+m" (v->counter), "=qm" (c)
7116 @@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
7120 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7121 + asm volatile(LOCK_PREFIX "incl %0\n"
7123 +#ifdef CONFIG_PAX_REFCOUNT
7125 + LOCK_PREFIX "decl %0\n"
7127 + _ASM_EXTABLE(0b, 0b)
7131 + : "+m" (v->counter), "=qm" (c)
7137 + * atomic_inc_and_test_unchecked - increment and test
7138 + * @v: pointer of type atomic_unchecked_t
7140 + * Atomically increments @v by 1
7141 + * and returns true if the result is zero, or false for all
7144 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7148 + asm volatile(LOCK_PREFIX "incl %0\n"
7150 : "+m" (v->counter), "=qm" (c)
7153 @@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
7157 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7158 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7160 +#ifdef CONFIG_PAX_REFCOUNT
7162 + LOCK_PREFIX "subl %2,%0\n"
7164 + _ASM_EXTABLE(0b, 0b)
7168 : "+m" (v->counter), "=qm" (c)
7169 : "ir" (i) : "memory");
7171 @@ -179,6 +341,46 @@ static inline int atomic_add_return(int
7173 /* Modern 486+ processor */
7175 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7177 +#ifdef CONFIG_PAX_REFCOUNT
7181 + _ASM_EXTABLE(0b, 0b)
7184 + : "+r" (i), "+m" (v->counter)
7189 +no_xadd: /* Legacy 386 processor */
7190 + local_irq_save(flags);
7191 + __i = atomic_read(v);
7192 + atomic_set(v, i + __i);
7193 + local_irq_restore(flags);
7199 + * atomic_add_return_unchecked - add integer and return
7200 + * @v: pointer of type atomic_unchecked_t
7201 + * @i: integer value to add
7203 + * Atomically adds @i to @v and returns @i + @v
7205 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7209 + unsigned long flags;
7210 + if (unlikely(boot_cpu_data.x86 <= 3))
7213 + /* Modern 486+ processor */
7215 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7216 : "+r" (i), "+m" (v->counter)
7218 @@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
7219 return cmpxchg(&v->counter, old, new);
7222 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7224 + return cmpxchg(&v->counter, old, new);
7227 static inline int atomic_xchg(atomic_t *v, int new)
7229 return xchg(&v->counter, new);
7232 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7234 + return xchg(&v->counter, new);
7238 * atomic_add_unless - add unless the number is already a given value
7239 * @v: pointer of type atomic_t
7240 @@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7242 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7248 - if (unlikely(c == (u)))
7249 + if (unlikely(c == u))
7251 - old = atomic_cmpxchg((v), c, c + (a));
7253 + asm volatile("addl %2,%0\n"
7255 +#ifdef CONFIG_PAX_REFCOUNT
7259 + _ASM_EXTABLE(0b, 0b)
7263 + : "0" (c), "ir" (a));
7265 + old = atomic_cmpxchg(v, c, new);
7266 if (likely(old == c))
7274 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7276 #define atomic_inc_return(v) (atomic_add_return(1, v))
7277 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7279 + return atomic_add_return_unchecked(1, v);
7281 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7283 /* These are x86-specific, used by some header files */
7284 @@ -266,9 +495,18 @@ typedef struct {
7285 u64 __aligned(8) counter;
7288 +#ifdef CONFIG_PAX_REFCOUNT
7290 + u64 __aligned(8) counter;
7291 +} atomic64_unchecked_t;
7293 +typedef atomic64_t atomic64_unchecked_t;
7296 #define ATOMIC64_INIT(val) { (val) }
7298 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7299 +extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7302 * atomic64_xchg - xchg atomic64 variable
7303 @@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7306 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7307 +extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7310 * atomic64_set - set atomic64 variable
7311 @@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7312 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7315 + * atomic64_unchecked_set - set atomic64 variable
7316 + * @ptr: pointer to type atomic64_unchecked_t
7317 + * @new_val: value to assign
7319 + * Atomically sets the value of @ptr to @new_val.
7321 +extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7324 * atomic64_read - read atomic64 variable
7325 * @ptr: pointer to type atomic64_t
7327 @@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7331 -extern u64 atomic64_read(atomic64_t *ptr);
7333 + * atomic64_read_unchecked - read atomic64 variable
7334 + * @ptr: pointer to type atomic64_unchecked_t
7336 + * Atomically reads the value of @ptr and returns it.
7338 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7343 + * Note, we inline this atomic64_unchecked_t primitive because
7344 + * it only clobbers EAX/EDX and leaves the others
7345 + * untouched. We also (somewhat subtly) rely on the
7346 + * fact that cmpxchg8b returns the current 64-bit value
7347 + * of the memory location we are touching:
7350 + "mov %%ebx, %%eax\n\t"
7351 + "mov %%ecx, %%edx\n\t"
7352 + LOCK_PREFIX "cmpxchg8b %1\n"
7361 * atomic64_add_return - add and return
7362 @@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7363 * Other variants with different arithmetic operators:
7365 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7366 +extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7367 extern u64 atomic64_inc_return(atomic64_t *ptr);
7368 +extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7369 extern u64 atomic64_dec_return(atomic64_t *ptr);
7370 +extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7373 * atomic64_add - add integer to atomic64 variable
7374 @@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7375 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7378 + * atomic64_add_unchecked - add integer to atomic64 variable
7379 + * @delta: integer value to add
7380 + * @ptr: pointer to type atomic64_unchecked_t
7382 + * Atomically adds @delta to @ptr.
7384 +extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7387 * atomic64_sub - subtract the atomic64 variable
7388 * @delta: integer value to subtract
7389 * @ptr: pointer to type atomic64_t
7390 @@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7391 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7394 + * atomic64_sub_unchecked - subtract the atomic64 variable
7395 + * @delta: integer value to subtract
7396 + * @ptr: pointer to type atomic64_unchecked_t
7398 + * Atomically subtracts @delta from @ptr.
7400 +extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7403 * atomic64_sub_and_test - subtract value from variable and test result
7404 * @delta: integer value to subtract
7405 * @ptr: pointer to type atomic64_t
7406 @@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7407 extern void atomic64_inc(atomic64_t *ptr);
7410 + * atomic64_inc_unchecked - increment atomic64 variable
7411 + * @ptr: pointer to type atomic64_unchecked_t
7413 + * Atomically increments @ptr by 1.
7415 +extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7418 * atomic64_dec - decrement atomic64 variable
7419 * @ptr: pointer to type atomic64_t
7421 @@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7422 extern void atomic64_dec(atomic64_t *ptr);
7425 + * atomic64_dec_unchecked - decrement atomic64 variable
7426 + * @ptr: pointer to type atomic64_unchecked_t
7428 + * Atomically decrements @ptr by 1.
7430 +extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7433 * atomic64_dec_and_test - decrement and test
7434 * @ptr: pointer to type atomic64_t
7436 diff -urNp linux-2.6.32.43/arch/x86/include/asm/atomic_64.h linux-2.6.32.43/arch/x86/include/asm/atomic_64.h
7437 --- linux-2.6.32.43/arch/x86/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
7438 +++ linux-2.6.32.43/arch/x86/include/asm/atomic_64.h 2011-05-04 18:35:31.000000000 -0400
7439 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7443 + * atomic_read_unchecked - read atomic variable
7444 + * @v: pointer of type atomic_unchecked_t
7446 + * Atomically reads the value of @v.
7448 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7450 + return v->counter;
7454 * atomic_set - set atomic variable
7455 * @v: pointer of type atomic_t
7456 * @i: required value
7457 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7461 + * atomic_set_unchecked - set atomic variable
7462 + * @v: pointer of type atomic_unchecked_t
7463 + * @i: required value
7465 + * Atomically sets the value of @v to @i.
7467 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7473 * atomic_add - add integer to atomic variable
7474 * @i: integer value to add
7475 * @v: pointer of type atomic_t
7476 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7478 static inline void atomic_add(int i, atomic_t *v)
7480 - asm volatile(LOCK_PREFIX "addl %1,%0"
7481 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7483 +#ifdef CONFIG_PAX_REFCOUNT
7485 + LOCK_PREFIX "subl %1,%0\n"
7487 + _ASM_EXTABLE(0b, 0b)
7490 + : "=m" (v->counter)
7491 + : "ir" (i), "m" (v->counter));
7495 + * atomic_add_unchecked - add integer to atomic variable
7496 + * @i: integer value to add
7497 + * @v: pointer of type atomic_unchecked_t
7499 + * Atomically adds @i to @v.
7501 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7503 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7505 : "ir" (i), "m" (v->counter));
7507 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7509 static inline void atomic_sub(int i, atomic_t *v)
7511 - asm volatile(LOCK_PREFIX "subl %1,%0"
7512 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7514 +#ifdef CONFIG_PAX_REFCOUNT
7516 + LOCK_PREFIX "addl %1,%0\n"
7518 + _ASM_EXTABLE(0b, 0b)
7521 + : "=m" (v->counter)
7522 + : "ir" (i), "m" (v->counter));
7526 + * atomic_sub_unchecked - subtract the atomic variable
7527 + * @i: integer value to subtract
7528 + * @v: pointer of type atomic_unchecked_t
7530 + * Atomically subtracts @i from @v.
7532 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7534 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7536 : "ir" (i), "m" (v->counter));
7538 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7542 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7543 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7545 +#ifdef CONFIG_PAX_REFCOUNT
7547 + LOCK_PREFIX "addl %2,%0\n"
7549 + _ASM_EXTABLE(0b, 0b)
7553 : "=m" (v->counter), "=qm" (c)
7554 : "ir" (i), "m" (v->counter) : "memory");
7556 @@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7558 static inline void atomic_inc(atomic_t *v)
7560 - asm volatile(LOCK_PREFIX "incl %0"
7561 + asm volatile(LOCK_PREFIX "incl %0\n"
7563 +#ifdef CONFIG_PAX_REFCOUNT
7565 + LOCK_PREFIX "decl %0\n"
7567 + _ASM_EXTABLE(0b, 0b)
7570 + : "=m" (v->counter)
7571 + : "m" (v->counter));
7575 + * atomic_inc_unchecked - increment atomic variable
7576 + * @v: pointer of type atomic_unchecked_t
7578 + * Atomically increments @v by 1.
7580 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7582 + asm volatile(LOCK_PREFIX "incl %0\n"
7584 : "m" (v->counter));
7586 @@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7588 static inline void atomic_dec(atomic_t *v)
7590 - asm volatile(LOCK_PREFIX "decl %0"
7591 + asm volatile(LOCK_PREFIX "decl %0\n"
7593 +#ifdef CONFIG_PAX_REFCOUNT
7595 + LOCK_PREFIX "incl %0\n"
7597 + _ASM_EXTABLE(0b, 0b)
7600 + : "=m" (v->counter)
7601 + : "m" (v->counter));
7605 + * atomic_dec_unchecked - decrement atomic variable
7606 + * @v: pointer of type atomic_unchecked_t
7608 + * Atomically decrements @v by 1.
7610 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7612 + asm volatile(LOCK_PREFIX "decl %0\n"
7614 : "m" (v->counter));
7616 @@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7620 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7621 + asm volatile(LOCK_PREFIX "decl %0\n"
7623 +#ifdef CONFIG_PAX_REFCOUNT
7625 + LOCK_PREFIX "incl %0\n"
7627 + _ASM_EXTABLE(0b, 0b)
7631 : "=m" (v->counter), "=qm" (c)
7632 : "m" (v->counter) : "memory");
7634 @@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7638 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7639 + asm volatile(LOCK_PREFIX "incl %0\n"
7641 +#ifdef CONFIG_PAX_REFCOUNT
7643 + LOCK_PREFIX "decl %0\n"
7645 + _ASM_EXTABLE(0b, 0b)
7649 + : "=m" (v->counter), "=qm" (c)
7650 + : "m" (v->counter) : "memory");
7655 + * atomic_inc_and_test_unchecked - increment and test
7656 + * @v: pointer of type atomic_unchecked_t
7658 + * Atomically increments @v by 1
7659 + * and returns true if the result is zero, or false for all
7662 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7666 + asm volatile(LOCK_PREFIX "incl %0\n"
7668 : "=m" (v->counter), "=qm" (c)
7669 : "m" (v->counter) : "memory");
7671 @@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
7675 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7676 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7678 +#ifdef CONFIG_PAX_REFCOUNT
7680 + LOCK_PREFIX "subl %2,%0\n"
7682 + _ASM_EXTABLE(0b, 0b)
7686 : "=m" (v->counter), "=qm" (c)
7687 : "ir" (i), "m" (v->counter) : "memory");
7689 @@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
7690 static inline int atomic_add_return(int i, atomic_t *v)
7693 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
7694 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7696 +#ifdef CONFIG_PAX_REFCOUNT
7700 + _ASM_EXTABLE(0b, 0b)
7703 + : "+r" (i), "+m" (v->counter)
7709 + * atomic_add_return_unchecked - add and return
7710 + * @i: integer value to add
7711 + * @v: pointer of type atomic_unchecked_t
7713 + * Atomically adds @i to @v and returns @i + @v
7715 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7718 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7719 : "+r" (i), "+m" (v->counter)
7722 @@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
7725 #define atomic_inc_return(v) (atomic_add_return(1, v))
7726 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7728 + return atomic_add_return_unchecked(1, v);
7730 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7732 /* The 64-bit atomic type */
7733 @@ -204,6 +396,18 @@ static inline long atomic64_read(const a
7737 + * atomic64_read_unchecked - read atomic64 variable
7738 + * @v: pointer of type atomic64_unchecked_t
7740 + * Atomically reads the value of @v.
7741 + * Doesn't imply a read memory barrier.
7743 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
7745 + return v->counter;
7749 * atomic64_set - set atomic64 variable
7750 * @v: pointer to type atomic64_t
7751 * @i: required value
7752 @@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
7756 + * atomic64_set_unchecked - set atomic64 variable
7757 + * @v: pointer to type atomic64_unchecked_t
7758 + * @i: required value
7760 + * Atomically sets the value of @v to @i.
7762 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
7768 * atomic64_add - add integer to atomic64 variable
7769 * @i: integer value to add
7770 * @v: pointer to type atomic64_t
7771 @@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
7773 static inline void atomic64_add(long i, atomic64_t *v)
7775 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
7777 +#ifdef CONFIG_PAX_REFCOUNT
7779 + LOCK_PREFIX "subq %1,%0\n"
7781 + _ASM_EXTABLE(0b, 0b)
7784 + : "=m" (v->counter)
7785 + : "er" (i), "m" (v->counter));
7789 + * atomic64_add_unchecked - add integer to atomic64 variable
7790 + * @i: integer value to add
7791 + * @v: pointer to type atomic64_unchecked_t
7793 + * Atomically adds @i to @v.
7795 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
7797 asm volatile(LOCK_PREFIX "addq %1,%0"
7799 : "er" (i), "m" (v->counter));
7800 @@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
7802 static inline void atomic64_sub(long i, atomic64_t *v)
7804 - asm volatile(LOCK_PREFIX "subq %1,%0"
7805 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
7807 +#ifdef CONFIG_PAX_REFCOUNT
7809 + LOCK_PREFIX "addq %1,%0\n"
7811 + _ASM_EXTABLE(0b, 0b)
7815 : "er" (i), "m" (v->counter));
7817 @@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
7821 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
7822 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
7824 +#ifdef CONFIG_PAX_REFCOUNT
7826 + LOCK_PREFIX "addq %2,%0\n"
7828 + _ASM_EXTABLE(0b, 0b)
7832 : "=m" (v->counter), "=qm" (c)
7833 : "er" (i), "m" (v->counter) : "memory");
7835 @@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
7837 static inline void atomic64_inc(atomic64_t *v)
7839 + asm volatile(LOCK_PREFIX "incq %0\n"
7841 +#ifdef CONFIG_PAX_REFCOUNT
7843 + LOCK_PREFIX "decq %0\n"
7845 + _ASM_EXTABLE(0b, 0b)
7848 + : "=m" (v->counter)
7849 + : "m" (v->counter));
7853 + * atomic64_inc_unchecked - increment atomic64 variable
7854 + * @v: pointer to type atomic64_unchecked_t
7856 + * Atomically increments @v by 1.
7858 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
7860 asm volatile(LOCK_PREFIX "incq %0"
7862 : "m" (v->counter));
7863 @@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
7865 static inline void atomic64_dec(atomic64_t *v)
7867 - asm volatile(LOCK_PREFIX "decq %0"
7868 + asm volatile(LOCK_PREFIX "decq %0\n"
7870 +#ifdef CONFIG_PAX_REFCOUNT
7872 + LOCK_PREFIX "incq %0\n"
7874 + _ASM_EXTABLE(0b, 0b)
7877 + : "=m" (v->counter)
7878 + : "m" (v->counter));
7882 + * atomic64_dec_unchecked - decrement atomic64 variable
7883 + * @v: pointer to type atomic64_t
7885 + * Atomically decrements @v by 1.
7887 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
7889 + asm volatile(LOCK_PREFIX "decq %0\n"
7891 : "m" (v->counter));
7893 @@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
7897 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
7898 + asm volatile(LOCK_PREFIX "decq %0\n"
7900 +#ifdef CONFIG_PAX_REFCOUNT
7902 + LOCK_PREFIX "incq %0\n"
7904 + _ASM_EXTABLE(0b, 0b)
7908 : "=m" (v->counter), "=qm" (c)
7909 : "m" (v->counter) : "memory");
7911 @@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
7915 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
7916 + asm volatile(LOCK_PREFIX "incq %0\n"
7918 +#ifdef CONFIG_PAX_REFCOUNT
7920 + LOCK_PREFIX "decq %0\n"
7922 + _ASM_EXTABLE(0b, 0b)
7926 : "=m" (v->counter), "=qm" (c)
7927 : "m" (v->counter) : "memory");
7929 @@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
7933 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
7934 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
7936 +#ifdef CONFIG_PAX_REFCOUNT
7938 + LOCK_PREFIX "subq %2,%0\n"
7940 + _ASM_EXTABLE(0b, 0b)
7944 : "=m" (v->counter), "=qm" (c)
7945 : "er" (i), "m" (v->counter) : "memory");
7947 @@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
7948 static inline long atomic64_add_return(long i, atomic64_t *v)
7951 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
7952 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
7954 +#ifdef CONFIG_PAX_REFCOUNT
7958 + _ASM_EXTABLE(0b, 0b)
7961 + : "+r" (i), "+m" (v->counter)
7967 + * atomic64_add_return_unchecked - add and return
7968 + * @i: integer value to add
7969 + * @v: pointer to type atomic64_unchecked_t
7971 + * Atomically adds @i to @v and returns @i + @v
7973 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
7976 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
7977 : "+r" (i), "+m" (v->counter)
7980 @@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
7983 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
7984 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7986 + return atomic64_add_return_unchecked(1, v);
7988 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
7990 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
7991 @@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
7992 return cmpxchg(&v->counter, old, new);
7995 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
7997 + return cmpxchg(&v->counter, old, new);
8000 static inline long atomic64_xchg(atomic64_t *v, long new)
8002 return xchg(&v->counter, new);
8005 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8007 + return xchg(&v->counter, new);
8010 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
8012 return cmpxchg(&v->counter, old, new);
8015 +static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8017 + return cmpxchg(&v->counter, old, new);
8020 static inline long atomic_xchg(atomic_t *v, int new)
8022 return xchg(&v->counter, new);
8025 +static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8027 + return xchg(&v->counter, new);
8031 * atomic_add_unless - add unless the number is a given value
8032 * @v: pointer of type atomic_t
8033 @@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
8035 static inline int atomic_add_unless(atomic_t *v, int a, int u)
8041 - if (unlikely(c == (u)))
8042 + if (unlikely(c == u))
8044 - old = atomic_cmpxchg((v), c, c + (a));
8046 + asm volatile("addl %2,%0\n"
8048 +#ifdef CONFIG_PAX_REFCOUNT
8052 + _ASM_EXTABLE(0b, 0b)
8056 + : "0" (c), "ir" (a));
8058 + old = atomic_cmpxchg(v, c, new);
8059 if (likely(old == c))
8067 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8068 @@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
8070 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8074 c = atomic64_read(v);
8076 - if (unlikely(c == (u)))
8077 + if (unlikely(c == u))
8079 - old = atomic64_cmpxchg((v), c, c + (a));
8081 + asm volatile("addq %2,%0\n"
8083 +#ifdef CONFIG_PAX_REFCOUNT
8087 + _ASM_EXTABLE(0b, 0b)
8091 + : "0" (c), "er" (a));
8093 + old = atomic64_cmpxchg(v, c, new);
8094 if (likely(old == c))
8103 diff -urNp linux-2.6.32.43/arch/x86/include/asm/bitops.h linux-2.6.32.43/arch/x86/include/asm/bitops.h
8104 --- linux-2.6.32.43/arch/x86/include/asm/bitops.h 2011-03-27 14:31:47.000000000 -0400
8105 +++ linux-2.6.32.43/arch/x86/include/asm/bitops.h 2011-04-17 15:56:46.000000000 -0400
8107 * a mask operation on a byte.
8109 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
8110 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
8111 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
8112 #define CONST_MASK(nr) (1 << ((nr) & 7))
8115 diff -urNp linux-2.6.32.43/arch/x86/include/asm/boot.h linux-2.6.32.43/arch/x86/include/asm/boot.h
8116 --- linux-2.6.32.43/arch/x86/include/asm/boot.h 2011-03-27 14:31:47.000000000 -0400
8117 +++ linux-2.6.32.43/arch/x86/include/asm/boot.h 2011-04-17 15:56:46.000000000 -0400
8119 #include <asm/pgtable_types.h>
8121 /* Physical address where kernel should be loaded. */
8122 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8123 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8124 + (CONFIG_PHYSICAL_ALIGN - 1)) \
8125 & ~(CONFIG_PHYSICAL_ALIGN - 1))
8127 +#ifndef __ASSEMBLY__
8128 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
8129 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
8132 /* Minimum kernel alignment, as a power of two */
8133 #ifdef CONFIG_X86_64
8134 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
8135 diff -urNp linux-2.6.32.43/arch/x86/include/asm/cacheflush.h linux-2.6.32.43/arch/x86/include/asm/cacheflush.h
8136 --- linux-2.6.32.43/arch/x86/include/asm/cacheflush.h 2011-03-27 14:31:47.000000000 -0400
8137 +++ linux-2.6.32.43/arch/x86/include/asm/cacheflush.h 2011-04-17 15:56:46.000000000 -0400
8138 @@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
8139 static inline unsigned long get_page_memtype(struct page *pg)
8141 if (!PageUncached(pg) && !PageWC(pg))
8144 else if (!PageUncached(pg) && PageWC(pg))
8145 return _PAGE_CACHE_WC;
8146 else if (PageUncached(pg) && !PageWC(pg))
8147 @@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
8153 ClearPageUncached(pg);
8156 diff -urNp linux-2.6.32.43/arch/x86/include/asm/cache.h linux-2.6.32.43/arch/x86/include/asm/cache.h
8157 --- linux-2.6.32.43/arch/x86/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
8158 +++ linux-2.6.32.43/arch/x86/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
8161 /* L1 cache line size */
8162 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
8163 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8164 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8166 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
8167 +#define __read_only __attribute__((__section__(".data.read_only")))
8169 #ifdef CONFIG_X86_VSMP
8170 /* vSMP Internode cacheline shift */
8171 diff -urNp linux-2.6.32.43/arch/x86/include/asm/checksum_32.h linux-2.6.32.43/arch/x86/include/asm/checksum_32.h
8172 --- linux-2.6.32.43/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400
8173 +++ linux-2.6.32.43/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400
8174 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
8175 int len, __wsum sum,
8176 int *src_err_ptr, int *dst_err_ptr);
8178 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
8179 + int len, __wsum sum,
8180 + int *src_err_ptr, int *dst_err_ptr);
8182 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
8183 + int len, __wsum sum,
8184 + int *src_err_ptr, int *dst_err_ptr);
8187 * Note: when you get a NULL pointer exception here this means someone
8188 * passed in an incorrect kernel address to one of these functions.
8189 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
8193 - return csum_partial_copy_generic((__force void *)src, dst,
8194 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
8195 len, sum, err_ptr, NULL);
8198 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
8201 if (access_ok(VERIFY_WRITE, dst, len))
8202 - return csum_partial_copy_generic(src, (__force void *)dst,
8203 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
8204 len, sum, NULL, err_ptr);
8207 diff -urNp linux-2.6.32.43/arch/x86/include/asm/desc_defs.h linux-2.6.32.43/arch/x86/include/asm/desc_defs.h
8208 --- linux-2.6.32.43/arch/x86/include/asm/desc_defs.h 2011-03-27 14:31:47.000000000 -0400
8209 +++ linux-2.6.32.43/arch/x86/include/asm/desc_defs.h 2011-04-17 15:56:46.000000000 -0400
8210 @@ -31,6 +31,12 @@ struct desc_struct {
8211 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
8212 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
8217 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
8218 + unsigned offset_high: 16;
8221 } __attribute__((packed));
8223 diff -urNp linux-2.6.32.43/arch/x86/include/asm/desc.h linux-2.6.32.43/arch/x86/include/asm/desc.h
8224 --- linux-2.6.32.43/arch/x86/include/asm/desc.h 2011-03-27 14:31:47.000000000 -0400
8225 +++ linux-2.6.32.43/arch/x86/include/asm/desc.h 2011-04-23 12:56:10.000000000 -0400
8227 #include <asm/desc_defs.h>
8228 #include <asm/ldt.h>
8229 #include <asm/mmu.h>
8230 +#include <asm/pgtable.h>
8231 #include <linux/smp.h>
8233 static inline void fill_ldt(struct desc_struct *desc,
8234 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8235 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8236 desc->type = (info->read_exec_only ^ 1) << 1;
8237 desc->type |= info->contents << 2;
8238 + desc->type |= info->seg_not_present ^ 1;
8241 desc->p = info->seg_not_present ^ 1;
8242 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8245 extern struct desc_ptr idt_descr;
8246 -extern gate_desc idt_table[];
8249 - struct desc_struct gdt[GDT_ENTRIES];
8250 -} __attribute__((aligned(PAGE_SIZE)));
8251 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8252 +extern gate_desc idt_table[256];
8254 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8255 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8257 - return per_cpu(gdt_page, cpu).gdt;
8258 + return cpu_gdt_table[cpu];
8261 #ifdef CONFIG_X86_64
8262 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8263 unsigned long base, unsigned dpl, unsigned flags,
8266 - gate->a = (seg << 16) | (base & 0xffff);
8267 - gate->b = (base & 0xffff0000) |
8268 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8269 + gate->gate.offset_low = base;
8270 + gate->gate.seg = seg;
8271 + gate->gate.reserved = 0;
8272 + gate->gate.type = type;
8274 + gate->gate.dpl = dpl;
8276 + gate->gate.offset_high = base >> 16;
8280 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8281 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8282 const gate_desc *gate)
8284 + pax_open_kernel();
8285 memcpy(&idt[entry], gate, sizeof(*gate));
8286 + pax_close_kernel();
8289 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8292 + pax_open_kernel();
8293 memcpy(&ldt[entry], desc, 8);
8294 + pax_close_kernel();
8297 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8298 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8299 size = sizeof(struct desc_struct);
8303 + pax_open_kernel();
8304 memcpy(&gdt[entry], desc, size);
8305 + pax_close_kernel();
8308 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8309 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8311 static inline void native_load_tr_desc(void)
8313 + pax_open_kernel();
8314 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8315 + pax_close_kernel();
8318 static inline void native_load_gdt(const struct desc_ptr *dtr)
8319 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8321 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8323 + pax_open_kernel();
8324 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8325 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8326 + pax_close_kernel();
8329 #define _LDT_empty(info) \
8330 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8331 desc->limit = (limit >> 16) & 0xf;
8334 -static inline void _set_gate(int gate, unsigned type, void *addr,
8335 +static inline void _set_gate(int gate, unsigned type, const void *addr,
8336 unsigned dpl, unsigned ist, unsigned seg)
8339 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8340 * Pentium F0 0F bugfix can have resulted in the mapped
8341 * IDT being write-protected.
8343 -static inline void set_intr_gate(unsigned int n, void *addr)
8344 +static inline void set_intr_gate(unsigned int n, const void *addr)
8346 BUG_ON((unsigned)n > 0xFF);
8347 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8348 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8350 * This routine sets up an interrupt gate at directory privilege level 3.
8352 -static inline void set_system_intr_gate(unsigned int n, void *addr)
8353 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
8355 BUG_ON((unsigned)n > 0xFF);
8356 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8359 -static inline void set_system_trap_gate(unsigned int n, void *addr)
8360 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
8362 BUG_ON((unsigned)n > 0xFF);
8363 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8366 -static inline void set_trap_gate(unsigned int n, void *addr)
8367 +static inline void set_trap_gate(unsigned int n, const void *addr)
8369 BUG_ON((unsigned)n > 0xFF);
8370 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8371 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8372 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8374 BUG_ON((unsigned)n > 0xFF);
8375 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8376 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8379 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8380 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8382 BUG_ON((unsigned)n > 0xFF);
8383 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8386 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8387 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8389 BUG_ON((unsigned)n > 0xFF);
8390 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8393 +#ifdef CONFIG_X86_32
8394 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8396 + struct desc_struct d;
8398 + if (likely(limit))
8399 + limit = (limit - 1UL) >> PAGE_SHIFT;
8400 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
8401 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8405 #endif /* _ASM_X86_DESC_H */
8406 diff -urNp linux-2.6.32.43/arch/x86/include/asm/device.h linux-2.6.32.43/arch/x86/include/asm/device.h
8407 --- linux-2.6.32.43/arch/x86/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
8408 +++ linux-2.6.32.43/arch/x86/include/asm/device.h 2011-04-17 15:56:46.000000000 -0400
8409 @@ -6,7 +6,7 @@ struct dev_archdata {
8412 #ifdef CONFIG_X86_64
8413 -struct dma_map_ops *dma_ops;
8414 + const struct dma_map_ops *dma_ops;
8417 void *iommu; /* hook for IOMMU specific extension */
8418 diff -urNp linux-2.6.32.43/arch/x86/include/asm/dma-mapping.h linux-2.6.32.43/arch/x86/include/asm/dma-mapping.h
8419 --- linux-2.6.32.43/arch/x86/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
8420 +++ linux-2.6.32.43/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
8421 @@ -25,9 +25,9 @@ extern int iommu_merge;
8422 extern struct device x86_dma_fallback_dev;
8423 extern int panic_on_overflow;
8425 -extern struct dma_map_ops *dma_ops;
8426 +extern const struct dma_map_ops *dma_ops;
8428 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8429 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8431 #ifdef CONFIG_X86_32
8433 @@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8434 /* Make sure we keep the same behaviour */
8435 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8437 - struct dma_map_ops *ops = get_dma_ops(dev);
8438 + const struct dma_map_ops *ops = get_dma_ops(dev);
8439 if (ops->mapping_error)
8440 return ops->mapping_error(dev, dma_addr);
8442 @@ -122,7 +122,7 @@ static inline void *
8443 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8446 - struct dma_map_ops *ops = get_dma_ops(dev);
8447 + const struct dma_map_ops *ops = get_dma_ops(dev);
8450 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8451 @@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8452 static inline void dma_free_coherent(struct device *dev, size_t size,
8453 void *vaddr, dma_addr_t bus)
8455 - struct dma_map_ops *ops = get_dma_ops(dev);
8456 + const struct dma_map_ops *ops = get_dma_ops(dev);
8458 WARN_ON(irqs_disabled()); /* for portability */
8460 diff -urNp linux-2.6.32.43/arch/x86/include/asm/e820.h linux-2.6.32.43/arch/x86/include/asm/e820.h
8461 --- linux-2.6.32.43/arch/x86/include/asm/e820.h 2011-03-27 14:31:47.000000000 -0400
8462 +++ linux-2.6.32.43/arch/x86/include/asm/e820.h 2011-04-17 15:56:46.000000000 -0400
8463 @@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8464 #define ISA_END_ADDRESS 0x100000
8465 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8467 -#define BIOS_BEGIN 0x000a0000
8468 +#define BIOS_BEGIN 0x000c0000
8469 #define BIOS_END 0x00100000
8472 diff -urNp linux-2.6.32.43/arch/x86/include/asm/elf.h linux-2.6.32.43/arch/x86/include/asm/elf.h
8473 --- linux-2.6.32.43/arch/x86/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
8474 +++ linux-2.6.32.43/arch/x86/include/asm/elf.h 2011-04-17 15:56:46.000000000 -0400
8475 @@ -257,7 +257,25 @@ extern int force_personality32;
8476 the loader. We need to make sure that it is out of the way of the program
8477 that it will "exec", and that there is sufficient room for the brk. */
8479 +#ifdef CONFIG_PAX_SEGMEXEC
8480 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8482 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8485 +#ifdef CONFIG_PAX_ASLR
8486 +#ifdef CONFIG_X86_32
8487 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8489 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8490 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8492 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
8494 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8495 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8499 /* This yields a mask that user programs can use to figure out what
8500 instruction set this CPU supports. This could be done in user space,
8501 @@ -311,8 +329,7 @@ do { \
8502 #define ARCH_DLINFO \
8505 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8506 - (unsigned long)current->mm->context.vdso); \
8507 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
8510 #define AT_SYSINFO 32
8511 @@ -323,7 +340,7 @@ do { \
8513 #endif /* !CONFIG_X86_32 */
8515 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8516 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8518 #define VDSO_ENTRY \
8519 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8520 @@ -337,7 +354,4 @@ extern int arch_setup_additional_pages(s
8521 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8522 #define compat_arch_setup_additional_pages syscall32_setup_pages
8524 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8525 -#define arch_randomize_brk arch_randomize_brk
8527 #endif /* _ASM_X86_ELF_H */
8528 diff -urNp linux-2.6.32.43/arch/x86/include/asm/emergency-restart.h linux-2.6.32.43/arch/x86/include/asm/emergency-restart.h
8529 --- linux-2.6.32.43/arch/x86/include/asm/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
8530 +++ linux-2.6.32.43/arch/x86/include/asm/emergency-restart.h 2011-05-22 23:02:06.000000000 -0400
8531 @@ -15,6 +15,6 @@ enum reboot_type {
8533 extern enum reboot_type reboot_type;
8535 -extern void machine_emergency_restart(void);
8536 +extern void machine_emergency_restart(void) __noreturn;
8538 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8539 diff -urNp linux-2.6.32.43/arch/x86/include/asm/futex.h linux-2.6.32.43/arch/x86/include/asm/futex.h
8540 --- linux-2.6.32.43/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400
8541 +++ linux-2.6.32.43/arch/x86/include/asm/futex.h 2011-04-17 15:56:46.000000000 -0400
8543 #include <asm/system.h>
8545 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8546 + typecheck(u32 *, uaddr); \
8547 asm volatile("1:\t" insn "\n" \
8548 "2:\t.section .fixup,\"ax\"\n" \
8549 "3:\tmov\t%3, %1\n" \
8552 _ASM_EXTABLE(1b, 3b) \
8553 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8554 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
8555 : "i" (-EFAULT), "0" (oparg), "1" (0))
8557 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8558 + typecheck(u32 *, uaddr); \
8559 asm volatile("1:\tmovl %2, %0\n" \
8560 "\tmovl\t%0, %3\n" \
8563 _ASM_EXTABLE(1b, 4b) \
8564 _ASM_EXTABLE(2b, 4b) \
8565 : "=&a" (oldval), "=&r" (ret), \
8566 - "+m" (*uaddr), "=&r" (tem) \
8567 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
8568 : "r" (oparg), "i" (-EFAULT), "1" (0))
8570 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8571 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8573 int op = (encoded_op >> 28) & 7;
8574 int cmp = (encoded_op >> 24) & 15;
8575 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8579 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8580 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8583 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8584 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
8588 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
8592 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
8593 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
8597 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
8601 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
8602 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
8605 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
8606 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
8607 "2:\t.section .fixup, \"ax\"\n"
8611 _ASM_EXTABLE(1b, 3b)
8612 - : "=a" (oldval), "+m" (*uaddr)
8613 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
8614 : "i" (-EFAULT), "r" (newval), "0" (oldval)
8617 diff -urNp linux-2.6.32.43/arch/x86/include/asm/hw_irq.h linux-2.6.32.43/arch/x86/include/asm/hw_irq.h
8618 --- linux-2.6.32.43/arch/x86/include/asm/hw_irq.h 2011-03-27 14:31:47.000000000 -0400
8619 +++ linux-2.6.32.43/arch/x86/include/asm/hw_irq.h 2011-05-04 17:56:28.000000000 -0400
8620 @@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
8621 extern void enable_IO_APIC(void);
8624 -extern atomic_t irq_err_count;
8625 -extern atomic_t irq_mis_count;
8626 +extern atomic_unchecked_t irq_err_count;
8627 +extern atomic_unchecked_t irq_mis_count;
8630 extern void eisa_set_level_irq(unsigned int irq);
8631 diff -urNp linux-2.6.32.43/arch/x86/include/asm/i387.h linux-2.6.32.43/arch/x86/include/asm/i387.h
8632 --- linux-2.6.32.43/arch/x86/include/asm/i387.h 2011-03-27 14:31:47.000000000 -0400
8633 +++ linux-2.6.32.43/arch/x86/include/asm/i387.h 2011-04-17 15:56:46.000000000 -0400
8634 @@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
8638 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8639 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8640 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
8643 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
8645 ".section .fixup,\"ax\"\n"
8646 @@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
8650 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8651 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8652 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
8655 asm volatile("1: rex64/fxsave (%[fx])\n\t"
8657 ".section .fixup,\"ax\"\n"
8658 @@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
8661 /* We need a safe address that is cheap to find and that is already
8662 - in L1 during context switch. The best choices are unfortunately
8663 - different for UP and SMP */
8665 -#define safe_address (__per_cpu_offset[0])
8667 -#define safe_address (kstat_cpu(0).cpustat.user)
8669 + in L1 during context switch. */
8670 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
8673 * These must be called with preempt disabled
8674 @@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
8675 struct thread_info *me = current_thread_info();
8677 if (me->status & TS_USEDFPU)
8678 - __save_init_fpu(me->task);
8679 + __save_init_fpu(current);
8683 diff -urNp linux-2.6.32.43/arch/x86/include/asm/io_32.h linux-2.6.32.43/arch/x86/include/asm/io_32.h
8684 --- linux-2.6.32.43/arch/x86/include/asm/io_32.h 2011-03-27 14:31:47.000000000 -0400
8685 +++ linux-2.6.32.43/arch/x86/include/asm/io_32.h 2011-04-17 15:56:46.000000000 -0400
8688 #include <linux/string.h>
8689 #include <linux/compiler.h>
8690 +#include <asm/processor.h>
8693 * This file contains the definitions for the x86 IO instructions
8698 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8699 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8701 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8704 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8706 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8709 #include <asm-generic/iomap.h>
8711 #include <linux/vmalloc.h>
8712 diff -urNp linux-2.6.32.43/arch/x86/include/asm/io_64.h linux-2.6.32.43/arch/x86/include/asm/io_64.h
8713 --- linux-2.6.32.43/arch/x86/include/asm/io_64.h 2011-03-27 14:31:47.000000000 -0400
8714 +++ linux-2.6.32.43/arch/x86/include/asm/io_64.h 2011-04-17 15:56:46.000000000 -0400
8715 @@ -140,6 +140,17 @@ __OUTS(l)
8717 #include <linux/vmalloc.h>
8719 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8720 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8722 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8725 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8727 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8730 #include <asm-generic/iomap.h>
8732 void __memcpy_fromio(void *, unsigned long, unsigned);
8733 diff -urNp linux-2.6.32.43/arch/x86/include/asm/iommu.h linux-2.6.32.43/arch/x86/include/asm/iommu.h
8734 --- linux-2.6.32.43/arch/x86/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
8735 +++ linux-2.6.32.43/arch/x86/include/asm/iommu.h 2011-04-17 15:56:46.000000000 -0400
8738 extern void pci_iommu_shutdown(void);
8739 extern void no_iommu_init(void);
8740 -extern struct dma_map_ops nommu_dma_ops;
8741 +extern const struct dma_map_ops nommu_dma_ops;
8742 extern int force_iommu, no_iommu;
8743 extern int iommu_detected;
8744 extern int iommu_pass_through;
8745 diff -urNp linux-2.6.32.43/arch/x86/include/asm/irqflags.h linux-2.6.32.43/arch/x86/include/asm/irqflags.h
8746 --- linux-2.6.32.43/arch/x86/include/asm/irqflags.h 2011-03-27 14:31:47.000000000 -0400
8747 +++ linux-2.6.32.43/arch/x86/include/asm/irqflags.h 2011-04-17 15:56:46.000000000 -0400
8748 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
8752 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
8753 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
8754 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
8755 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
8758 #define INTERRUPT_RETURN iret
8759 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
8760 diff -urNp linux-2.6.32.43/arch/x86/include/asm/kprobes.h linux-2.6.32.43/arch/x86/include/asm/kprobes.h
8761 --- linux-2.6.32.43/arch/x86/include/asm/kprobes.h 2011-03-27 14:31:47.000000000 -0400
8762 +++ linux-2.6.32.43/arch/x86/include/asm/kprobes.h 2011-04-23 12:56:12.000000000 -0400
8763 @@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
8764 #define BREAKPOINT_INSTRUCTION 0xcc
8765 #define RELATIVEJUMP_INSTRUCTION 0xe9
8766 #define MAX_INSN_SIZE 16
8767 -#define MAX_STACK_SIZE 64
8768 -#define MIN_STACK_SIZE(ADDR) \
8769 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
8770 - THREAD_SIZE - (unsigned long)(ADDR))) \
8771 - ? (MAX_STACK_SIZE) \
8772 - : (((unsigned long)current_thread_info()) + \
8773 - THREAD_SIZE - (unsigned long)(ADDR)))
8774 +#define MAX_STACK_SIZE 64UL
8775 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
8777 #define flush_insn_slot(p) do { } while (0)
8779 diff -urNp linux-2.6.32.43/arch/x86/include/asm/kvm_host.h linux-2.6.32.43/arch/x86/include/asm/kvm_host.h
8780 --- linux-2.6.32.43/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:01.000000000 -0400
8781 +++ linux-2.6.32.43/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:26.000000000 -0400
8782 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
8783 const struct trace_print_flags *exit_reasons_str;
8786 -extern struct kvm_x86_ops *kvm_x86_ops;
8787 +extern const struct kvm_x86_ops *kvm_x86_ops;
8789 int kvm_mmu_module_init(void);
8790 void kvm_mmu_module_exit(void);
8791 diff -urNp linux-2.6.32.43/arch/x86/include/asm/local.h linux-2.6.32.43/arch/x86/include/asm/local.h
8792 --- linux-2.6.32.43/arch/x86/include/asm/local.h 2011-03-27 14:31:47.000000000 -0400
8793 +++ linux-2.6.32.43/arch/x86/include/asm/local.h 2011-04-17 15:56:46.000000000 -0400
8794 @@ -18,26 +18,58 @@ typedef struct {
8796 static inline void local_inc(local_t *l)
8798 - asm volatile(_ASM_INC "%0"
8799 + asm volatile(_ASM_INC "%0\n"
8801 +#ifdef CONFIG_PAX_REFCOUNT
8805 + _ASM_EXTABLE(0b, 0b)
8808 : "+m" (l->a.counter));
8811 static inline void local_dec(local_t *l)
8813 - asm volatile(_ASM_DEC "%0"
8814 + asm volatile(_ASM_DEC "%0\n"
8816 +#ifdef CONFIG_PAX_REFCOUNT
8820 + _ASM_EXTABLE(0b, 0b)
8823 : "+m" (l->a.counter));
8826 static inline void local_add(long i, local_t *l)
8828 - asm volatile(_ASM_ADD "%1,%0"
8829 + asm volatile(_ASM_ADD "%1,%0\n"
8831 +#ifdef CONFIG_PAX_REFCOUNT
8833 + _ASM_SUB "%1,%0\n"
8835 + _ASM_EXTABLE(0b, 0b)
8838 : "+m" (l->a.counter)
8842 static inline void local_sub(long i, local_t *l)
8844 - asm volatile(_ASM_SUB "%1,%0"
8845 + asm volatile(_ASM_SUB "%1,%0\n"
8847 +#ifdef CONFIG_PAX_REFCOUNT
8849 + _ASM_ADD "%1,%0\n"
8851 + _ASM_EXTABLE(0b, 0b)
8854 : "+m" (l->a.counter)
8857 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
8861 - asm volatile(_ASM_SUB "%2,%0; sete %1"
8862 + asm volatile(_ASM_SUB "%2,%0\n"
8864 +#ifdef CONFIG_PAX_REFCOUNT
8866 + _ASM_ADD "%2,%0\n"
8868 + _ASM_EXTABLE(0b, 0b)
8872 : "+m" (l->a.counter), "=qm" (c)
8873 : "ir" (i) : "memory");
8875 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
8879 - asm volatile(_ASM_DEC "%0; sete %1"
8880 + asm volatile(_ASM_DEC "%0\n"
8882 +#ifdef CONFIG_PAX_REFCOUNT
8886 + _ASM_EXTABLE(0b, 0b)
8890 : "+m" (l->a.counter), "=qm" (c)
8893 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
8897 - asm volatile(_ASM_INC "%0; sete %1"
8898 + asm volatile(_ASM_INC "%0\n"
8900 +#ifdef CONFIG_PAX_REFCOUNT
8904 + _ASM_EXTABLE(0b, 0b)
8908 : "+m" (l->a.counter), "=qm" (c)
8911 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
8915 - asm volatile(_ASM_ADD "%2,%0; sets %1"
8916 + asm volatile(_ASM_ADD "%2,%0\n"
8918 +#ifdef CONFIG_PAX_REFCOUNT
8920 + _ASM_SUB "%2,%0\n"
8922 + _ASM_EXTABLE(0b, 0b)
8926 : "+m" (l->a.counter), "=qm" (c)
8927 : "ir" (i) : "memory");
8929 @@ -133,7 +201,15 @@ static inline long local_add_return(long
8931 /* Modern 486+ processor */
8933 - asm volatile(_ASM_XADD "%0, %1;"
8934 + asm volatile(_ASM_XADD "%0, %1\n"
8936 +#ifdef CONFIG_PAX_REFCOUNT
8938 + _ASM_MOV "%0,%1\n"
8940 + _ASM_EXTABLE(0b, 0b)
8943 : "+r" (i), "+m" (l->a.counter)
8946 diff -urNp linux-2.6.32.43/arch/x86/include/asm/microcode.h linux-2.6.32.43/arch/x86/include/asm/microcode.h
8947 --- linux-2.6.32.43/arch/x86/include/asm/microcode.h 2011-03-27 14:31:47.000000000 -0400
8948 +++ linux-2.6.32.43/arch/x86/include/asm/microcode.h 2011-04-17 15:56:46.000000000 -0400
8949 @@ -12,13 +12,13 @@ struct device;
8950 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8952 struct microcode_ops {
8953 - enum ucode_state (*request_microcode_user) (int cpu,
8954 + enum ucode_state (* const request_microcode_user) (int cpu,
8955 const void __user *buf, size_t size);
8957 - enum ucode_state (*request_microcode_fw) (int cpu,
8958 + enum ucode_state (* const request_microcode_fw) (int cpu,
8959 struct device *device);
8961 - void (*microcode_fini_cpu) (int cpu);
8962 + void (* const microcode_fini_cpu) (int cpu);
8965 * The generic 'microcode_core' part guarantees that
8966 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
8967 extern struct ucode_cpu_info ucode_cpu_info[];
8969 #ifdef CONFIG_MICROCODE_INTEL
8970 -extern struct microcode_ops * __init init_intel_microcode(void);
8971 +extern const struct microcode_ops * __init init_intel_microcode(void);
8973 -static inline struct microcode_ops * __init init_intel_microcode(void)
8974 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8978 #endif /* CONFIG_MICROCODE_INTEL */
8980 #ifdef CONFIG_MICROCODE_AMD
8981 -extern struct microcode_ops * __init init_amd_microcode(void);
8982 +extern const struct microcode_ops * __init init_amd_microcode(void);
8984 -static inline struct microcode_ops * __init init_amd_microcode(void)
8985 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8989 diff -urNp linux-2.6.32.43/arch/x86/include/asm/mman.h linux-2.6.32.43/arch/x86/include/asm/mman.h
8990 --- linux-2.6.32.43/arch/x86/include/asm/mman.h 2011-03-27 14:31:47.000000000 -0400
8991 +++ linux-2.6.32.43/arch/x86/include/asm/mman.h 2011-04-17 15:56:46.000000000 -0400
8994 #include <asm-generic/mman.h>
8997 +#ifndef __ASSEMBLY__
8998 +#ifdef CONFIG_X86_32
8999 +#define arch_mmap_check i386_mmap_check
9000 +int i386_mmap_check(unsigned long addr, unsigned long len,
9001 + unsigned long flags);
9006 #endif /* _ASM_X86_MMAN_H */
9007 diff -urNp linux-2.6.32.43/arch/x86/include/asm/mmu_context.h linux-2.6.32.43/arch/x86/include/asm/mmu_context.h
9008 --- linux-2.6.32.43/arch/x86/include/asm/mmu_context.h 2011-03-27 14:31:47.000000000 -0400
9009 +++ linux-2.6.32.43/arch/x86/include/asm/mmu_context.h 2011-04-17 15:56:46.000000000 -0400
9010 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
9012 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
9015 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9019 + pax_open_kernel();
9020 + pgd = get_cpu_pgd(smp_processor_id());
9021 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
9022 + if (paravirt_enabled())
9023 + set_pgd(pgd+i, native_make_pgd(0));
9025 + pgd[i] = native_make_pgd(0);
9026 + pax_close_kernel();
9030 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
9031 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
9032 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
9033 struct task_struct *tsk)
9035 unsigned cpu = smp_processor_id();
9036 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
9037 + int tlbstate = TLBSTATE_OK;
9040 if (likely(prev != next)) {
9042 +#ifdef CONFIG_X86_32
9043 + tlbstate = percpu_read(cpu_tlbstate.state);
9045 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9046 percpu_write(cpu_tlbstate.active_mm, next);
9048 cpumask_set_cpu(cpu, mm_cpumask(next));
9050 /* Re-load page tables */
9051 +#ifdef CONFIG_PAX_PER_CPU_PGD
9052 + pax_open_kernel();
9053 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9054 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9055 + pax_close_kernel();
9056 + load_cr3(get_cpu_pgd(cpu));
9058 load_cr3(next->pgd);
9061 /* stop flush ipis for the previous mm */
9062 cpumask_clear_cpu(cpu, mm_cpumask(prev));
9063 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
9065 if (unlikely(prev->context.ldt != next->context.ldt))
9066 load_LDT_nolock(&next->context);
9069 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9070 + if (!nx_enabled) {
9071 + smp_mb__before_clear_bit();
9072 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
9073 + smp_mb__after_clear_bit();
9074 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9078 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9079 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
9080 + prev->context.user_cs_limit != next->context.user_cs_limit))
9081 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9083 + else if (unlikely(tlbstate != TLBSTATE_OK))
9084 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9091 +#ifdef CONFIG_PAX_PER_CPU_PGD
9092 + pax_open_kernel();
9093 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9094 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9095 + pax_close_kernel();
9096 + load_cr3(get_cpu_pgd(cpu));
9100 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9101 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
9103 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
9104 * tlb flush IPI delivery. We must reload CR3
9105 * to make sure to use no freed page tables.
9108 +#ifndef CONFIG_PAX_PER_CPU_PGD
9109 load_cr3(next->pgd);
9112 load_LDT_nolock(&next->context);
9114 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
9116 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9119 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9120 +#ifdef CONFIG_PAX_PAGEEXEC
9121 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
9123 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9132 #define activate_mm(prev, next) \
9133 diff -urNp linux-2.6.32.43/arch/x86/include/asm/mmu.h linux-2.6.32.43/arch/x86/include/asm/mmu.h
9134 --- linux-2.6.32.43/arch/x86/include/asm/mmu.h 2011-03-27 14:31:47.000000000 -0400
9135 +++ linux-2.6.32.43/arch/x86/include/asm/mmu.h 2011-04-17 15:56:46.000000000 -0400
9137 * we put the segment information here.
9141 + struct desc_struct *ldt;
9145 + unsigned long vdso;
9147 +#ifdef CONFIG_X86_32
9148 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
9149 + unsigned long user_cs_base;
9150 + unsigned long user_cs_limit;
9152 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9153 + cpumask_t cpu_user_cs_mask;
9162 diff -urNp linux-2.6.32.43/arch/x86/include/asm/module.h linux-2.6.32.43/arch/x86/include/asm/module.h
9163 --- linux-2.6.32.43/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400
9164 +++ linux-2.6.32.43/arch/x86/include/asm/module.h 2011-04-23 13:18:57.000000000 -0400
9167 #ifdef CONFIG_X86_64
9168 /* X86_64 does not define MODULE_PROC_FAMILY */
9169 +#define MODULE_PROC_FAMILY ""
9170 #elif defined CONFIG_M386
9171 #define MODULE_PROC_FAMILY "386 "
9172 #elif defined CONFIG_M486
9174 #error unknown processor family
9177 -#ifdef CONFIG_X86_32
9178 -# ifdef CONFIG_4KSTACKS
9179 -# define MODULE_STACKSIZE "4KSTACKS "
9181 -# define MODULE_STACKSIZE ""
9183 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
9184 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9185 +#define MODULE_PAX_UDEREF "UDEREF "
9187 +#define MODULE_PAX_UDEREF ""
9190 +#ifdef CONFIG_PAX_KERNEXEC
9191 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
9193 +#define MODULE_PAX_KERNEXEC ""
9196 +#ifdef CONFIG_PAX_REFCOUNT
9197 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
9199 +#define MODULE_PAX_REFCOUNT ""
9202 +#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
9203 +#define MODULE_STACKSIZE "4KSTACKS "
9205 +#define MODULE_STACKSIZE ""
9208 +#ifdef CONFIG_GRKERNSEC
9209 +#define MODULE_GRSEC "GRSECURITY "
9211 +#define MODULE_GRSEC ""
9214 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
9216 #endif /* _ASM_X86_MODULE_H */
9217 diff -urNp linux-2.6.32.43/arch/x86/include/asm/page_64_types.h linux-2.6.32.43/arch/x86/include/asm/page_64_types.h
9218 --- linux-2.6.32.43/arch/x86/include/asm/page_64_types.h 2011-03-27 14:31:47.000000000 -0400
9219 +++ linux-2.6.32.43/arch/x86/include/asm/page_64_types.h 2011-04-17 15:56:46.000000000 -0400
9220 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
9222 /* duplicated to the one in bootmem.h */
9223 extern unsigned long max_pfn;
9224 -extern unsigned long phys_base;
9225 +extern const unsigned long phys_base;
9227 extern unsigned long __phys_addr(unsigned long);
9228 #define __phys_reloc_hide(x) (x)
9229 diff -urNp linux-2.6.32.43/arch/x86/include/asm/paravirt.h linux-2.6.32.43/arch/x86/include/asm/paravirt.h
9230 --- linux-2.6.32.43/arch/x86/include/asm/paravirt.h 2011-03-27 14:31:47.000000000 -0400
9231 +++ linux-2.6.32.43/arch/x86/include/asm/paravirt.h 2011-04-17 15:56:46.000000000 -0400
9232 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
9233 pv_mmu_ops.set_fixmap(idx, phys, flags);
9236 +#ifdef CONFIG_PAX_KERNEXEC
9237 +static inline unsigned long pax_open_kernel(void)
9239 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9242 +static inline unsigned long pax_close_kernel(void)
9244 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9247 +static inline unsigned long pax_open_kernel(void) { return 0; }
9248 +static inline unsigned long pax_close_kernel(void) { return 0; }
9251 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9253 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9254 @@ -945,7 +960,7 @@ extern void default_banner(void);
9256 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9257 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9258 -#define PARA_INDIRECT(addr) *%cs:addr
9259 +#define PARA_INDIRECT(addr) *%ss:addr
9262 #define INTERRUPT_RETURN \
9263 @@ -1022,6 +1037,21 @@ extern void default_banner(void);
9264 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9266 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9268 +#define GET_CR0_INTO_RDI \
9269 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9272 +#define SET_RDI_INTO_CR0 \
9273 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9275 +#define GET_CR3_INTO_RDI \
9276 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9279 +#define SET_RDI_INTO_CR3 \
9280 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9282 #endif /* CONFIG_X86_32 */
9284 #endif /* __ASSEMBLY__ */
9285 diff -urNp linux-2.6.32.43/arch/x86/include/asm/paravirt_types.h linux-2.6.32.43/arch/x86/include/asm/paravirt_types.h
9286 --- linux-2.6.32.43/arch/x86/include/asm/paravirt_types.h 2011-03-27 14:31:47.000000000 -0400
9287 +++ linux-2.6.32.43/arch/x86/include/asm/paravirt_types.h 2011-08-05 20:33:55.000000000 -0400
9288 @@ -78,19 +78,19 @@ struct pv_init_ops {
9290 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
9291 unsigned long addr, unsigned len);
9296 struct pv_lazy_ops {
9297 /* Set deferred update mode, used for batching operations. */
9298 void (*enter)(void);
9299 void (*leave)(void);
9303 struct pv_time_ops {
9304 unsigned long long (*sched_clock)(void);
9305 unsigned long (*get_tsc_khz)(void);
9310 /* hooks for various privileged instructions */
9311 @@ -186,7 +186,7 @@ struct pv_cpu_ops {
9313 void (*start_context_switch)(struct task_struct *prev);
9314 void (*end_context_switch)(struct task_struct *next);
9320 @@ -217,7 +217,7 @@ struct pv_apic_ops {
9321 unsigned long start_eip,
9322 unsigned long start_esp);
9328 unsigned long (*read_cr2)(void);
9329 @@ -316,6 +316,12 @@ struct pv_mmu_ops {
9330 an mfn. We can tell which is which from the index. */
9331 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9332 phys_addr_t phys, pgprot_t flags);
9334 +#ifdef CONFIG_PAX_KERNEXEC
9335 + unsigned long (*pax_open_kernel)(void);
9336 + unsigned long (*pax_close_kernel)(void);
9341 struct raw_spinlock;
9342 @@ -326,7 +332,7 @@ struct pv_lock_ops {
9343 void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
9344 int (*spin_trylock)(struct raw_spinlock *lock);
9345 void (*spin_unlock)(struct raw_spinlock *lock);
9349 /* This contains all the paravirt structures: we get a convenient
9350 * number for each function using the offset which we use to indicate
9351 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pci_x86.h linux-2.6.32.43/arch/x86/include/asm/pci_x86.h
9352 --- linux-2.6.32.43/arch/x86/include/asm/pci_x86.h 2011-03-27 14:31:47.000000000 -0400
9353 +++ linux-2.6.32.43/arch/x86/include/asm/pci_x86.h 2011-04-17 15:56:46.000000000 -0400
9354 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9355 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9357 struct pci_raw_ops {
9358 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9359 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9360 int reg, int len, u32 *val);
9361 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9362 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9363 int reg, int len, u32 val);
9366 -extern struct pci_raw_ops *raw_pci_ops;
9367 -extern struct pci_raw_ops *raw_pci_ext_ops;
9368 +extern const struct pci_raw_ops *raw_pci_ops;
9369 +extern const struct pci_raw_ops *raw_pci_ext_ops;
9371 -extern struct pci_raw_ops pci_direct_conf1;
9372 +extern const struct pci_raw_ops pci_direct_conf1;
9373 extern bool port_cf9_safe;
9375 /* arch_initcall level */
9376 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgalloc.h linux-2.6.32.43/arch/x86/include/asm/pgalloc.h
9377 --- linux-2.6.32.43/arch/x86/include/asm/pgalloc.h 2011-03-27 14:31:47.000000000 -0400
9378 +++ linux-2.6.32.43/arch/x86/include/asm/pgalloc.h 2011-04-17 15:56:46.000000000 -0400
9379 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9380 pmd_t *pmd, pte_t *pte)
9382 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9383 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9386 +static inline void pmd_populate_user(struct mm_struct *mm,
9387 + pmd_t *pmd, pte_t *pte)
9389 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9390 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9393 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.43/arch/x86/include/asm/pgtable-2level.h
9394 --- linux-2.6.32.43/arch/x86/include/asm/pgtable-2level.h 2011-03-27 14:31:47.000000000 -0400
9395 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:56:46.000000000 -0400
9396 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9398 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9400 + pax_open_kernel();
9402 + pax_close_kernel();
9405 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9406 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable_32.h linux-2.6.32.43/arch/x86/include/asm/pgtable_32.h
9407 --- linux-2.6.32.43/arch/x86/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
9408 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
9411 struct vm_area_struct;
9413 -extern pgd_t swapper_pg_dir[1024];
9414 -extern pgd_t trampoline_pg_dir[1024];
9416 static inline void pgtable_cache_init(void) { }
9417 static inline void check_pgt_cache(void) { }
9418 void paging_init(void);
9419 @@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9420 # include <asm/pgtable-2level.h>
9423 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9424 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9425 +#ifdef CONFIG_X86_PAE
9426 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9429 #if defined(CONFIG_HIGHPTE)
9431 (in_nmi() ? KM_NMI_PTE : \
9432 @@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9433 /* Clear a kernel PTE and flush it from the TLB */
9434 #define kpte_clear_flush(ptep, vaddr) \
9436 + pax_open_kernel(); \
9437 pte_clear(&init_mm, (vaddr), (ptep)); \
9438 + pax_close_kernel(); \
9439 __flush_tlb_one((vaddr)); \
9442 @@ -85,6 +90,9 @@ do { \
9444 #endif /* !__ASSEMBLY__ */
9446 +#define HAVE_ARCH_UNMAPPED_AREA
9447 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9450 * kern_addr_valid() is (1) for FLATMEM and (0) for
9451 * SPARSEMEM and DISCONTIGMEM
9452 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.43/arch/x86/include/asm/pgtable_32_types.h
9453 --- linux-2.6.32.43/arch/x86/include/asm/pgtable_32_types.h 2011-03-27 14:31:47.000000000 -0400
9454 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:56:46.000000000 -0400
9457 #ifdef CONFIG_X86_PAE
9458 # include <asm/pgtable-3level_types.h>
9459 -# define PMD_SIZE (1UL << PMD_SHIFT)
9460 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9461 # define PMD_MASK (~(PMD_SIZE - 1))
9463 # include <asm/pgtable-2level_types.h>
9464 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9465 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9468 +#ifdef CONFIG_PAX_KERNEXEC
9469 +#ifndef __ASSEMBLY__
9470 +extern unsigned char MODULES_EXEC_VADDR[];
9471 +extern unsigned char MODULES_EXEC_END[];
9473 +#include <asm/boot.h>
9474 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9475 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9477 +#define ktla_ktva(addr) (addr)
9478 +#define ktva_ktla(addr) (addr)
9481 #define MODULES_VADDR VMALLOC_START
9482 #define MODULES_END VMALLOC_END
9483 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9484 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.43/arch/x86/include/asm/pgtable-3level.h
9485 --- linux-2.6.32.43/arch/x86/include/asm/pgtable-3level.h 2011-03-27 14:31:47.000000000 -0400
9486 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:56:46.000000000 -0400
9487 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9489 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9491 + pax_open_kernel();
9492 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9493 + pax_close_kernel();
9496 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9498 + pax_open_kernel();
9499 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9500 + pax_close_kernel();
9504 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable_64.h linux-2.6.32.43/arch/x86/include/asm/pgtable_64.h
9505 --- linux-2.6.32.43/arch/x86/include/asm/pgtable_64.h 2011-03-27 14:31:47.000000000 -0400
9506 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable_64.h 2011-04-17 15:56:46.000000000 -0400
9509 extern pud_t level3_kernel_pgt[512];
9510 extern pud_t level3_ident_pgt[512];
9511 +extern pud_t level3_vmalloc_pgt[512];
9512 +extern pud_t level3_vmemmap_pgt[512];
9513 +extern pud_t level2_vmemmap_pgt[512];
9514 extern pmd_t level2_kernel_pgt[512];
9515 extern pmd_t level2_fixmap_pgt[512];
9516 -extern pmd_t level2_ident_pgt[512];
9517 -extern pgd_t init_level4_pgt[];
9518 +extern pmd_t level2_ident_pgt[512*2];
9519 +extern pgd_t init_level4_pgt[512];
9521 #define swapper_pg_dir init_level4_pgt
9523 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9525 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9527 + pax_open_kernel();
9529 + pax_close_kernel();
9532 static inline void native_pmd_clear(pmd_t *pmd)
9533 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
9535 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9537 + pax_open_kernel();
9539 + pax_close_kernel();
9542 static inline void native_pgd_clear(pgd_t *pgd)
9543 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.43/arch/x86/include/asm/pgtable_64_types.h
9544 --- linux-2.6.32.43/arch/x86/include/asm/pgtable_64_types.h 2011-03-27 14:31:47.000000000 -0400
9545 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:56:46.000000000 -0400
9546 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9547 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9548 #define MODULES_END _AC(0xffffffffff000000, UL)
9549 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9550 +#define MODULES_EXEC_VADDR MODULES_VADDR
9551 +#define MODULES_EXEC_END MODULES_END
9553 +#define ktla_ktva(addr) (addr)
9554 +#define ktva_ktla(addr) (addr)
9556 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
9557 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable.h linux-2.6.32.43/arch/x86/include/asm/pgtable.h
9558 --- linux-2.6.32.43/arch/x86/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
9559 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable.h 2011-04-17 15:56:46.000000000 -0400
9560 @@ -74,12 +74,51 @@ extern struct list_head pgd_list;
9562 #define arch_end_context_switch(prev) do {} while(0)
9564 +#define pax_open_kernel() native_pax_open_kernel()
9565 +#define pax_close_kernel() native_pax_close_kernel()
9566 #endif /* CONFIG_PARAVIRT */
9568 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
9569 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
9571 +#ifdef CONFIG_PAX_KERNEXEC
9572 +static inline unsigned long native_pax_open_kernel(void)
9574 + unsigned long cr0;
9576 + preempt_disable();
9578 + cr0 = read_cr0() ^ X86_CR0_WP;
9579 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
9581 + return cr0 ^ X86_CR0_WP;
9584 +static inline unsigned long native_pax_close_kernel(void)
9586 + unsigned long cr0;
9588 + cr0 = read_cr0() ^ X86_CR0_WP;
9589 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
9592 + preempt_enable_no_resched();
9593 + return cr0 ^ X86_CR0_WP;
9596 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
9597 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
9601 * The following only work if pte_present() is true.
9602 * Undefined behaviour if not..
9604 +static inline int pte_user(pte_t pte)
9606 + return pte_val(pte) & _PAGE_USER;
9609 static inline int pte_dirty(pte_t pte)
9611 return pte_flags(pte) & _PAGE_DIRTY;
9612 @@ -167,9 +206,29 @@ static inline pte_t pte_wrprotect(pte_t
9613 return pte_clear_flags(pte, _PAGE_RW);
9616 +static inline pte_t pte_mkread(pte_t pte)
9618 + return __pte(pte_val(pte) | _PAGE_USER);
9621 static inline pte_t pte_mkexec(pte_t pte)
9623 - return pte_clear_flags(pte, _PAGE_NX);
9624 +#ifdef CONFIG_X86_PAE
9625 + if (__supported_pte_mask & _PAGE_NX)
9626 + return pte_clear_flags(pte, _PAGE_NX);
9629 + return pte_set_flags(pte, _PAGE_USER);
9632 +static inline pte_t pte_exprotect(pte_t pte)
9634 +#ifdef CONFIG_X86_PAE
9635 + if (__supported_pte_mask & _PAGE_NX)
9636 + return pte_set_flags(pte, _PAGE_NX);
9639 + return pte_clear_flags(pte, _PAGE_USER);
9642 static inline pte_t pte_mkdirty(pte_t pte)
9643 @@ -302,6 +361,15 @@ pte_t *populate_extra_pte(unsigned long
9646 #ifndef __ASSEMBLY__
9648 +#ifdef CONFIG_PAX_PER_CPU_PGD
9649 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
9650 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
9652 + return cpu_pgd[cpu];
9656 #include <linux/mm_types.h>
9658 static inline int pte_none(pte_t pte)
9659 @@ -472,7 +540,7 @@ static inline pud_t *pud_offset(pgd_t *p
9661 static inline int pgd_bad(pgd_t pgd)
9663 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
9664 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
9667 static inline int pgd_none(pgd_t pgd)
9668 @@ -495,7 +563,12 @@ static inline int pgd_none(pgd_t pgd)
9669 * pgd_offset() returns a (pgd_t *)
9670 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
9672 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
9673 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
9675 +#ifdef CONFIG_PAX_PER_CPU_PGD
9676 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
9680 * a shortcut which implies the use of the kernel's pgd, instead
9682 @@ -506,6 +579,20 @@ static inline int pgd_none(pgd_t pgd)
9683 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
9684 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
9686 +#ifdef CONFIG_X86_32
9687 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
9689 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
9690 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
9692 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9693 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
9695 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
9700 #ifndef __ASSEMBLY__
9702 extern int direct_gbpages;
9703 @@ -611,11 +698,23 @@ static inline void ptep_set_wrprotect(st
9704 * dst and src can be on the same page, but the range must not overlap,
9705 * and must not cross a page boundary.
9707 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
9708 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
9710 - memcpy(dst, src, count * sizeof(pgd_t));
9711 + pax_open_kernel();
9714 + pax_close_kernel();
9717 +#ifdef CONFIG_PAX_PER_CPU_PGD
9718 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9721 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9722 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9724 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
9727 #include <asm-generic/pgtable.h>
9728 #endif /* __ASSEMBLY__ */
9729 diff -urNp linux-2.6.32.43/arch/x86/include/asm/pgtable_types.h linux-2.6.32.43/arch/x86/include/asm/pgtable_types.h
9730 --- linux-2.6.32.43/arch/x86/include/asm/pgtable_types.h 2011-03-27 14:31:47.000000000 -0400
9731 +++ linux-2.6.32.43/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:56:46.000000000 -0400
9733 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
9734 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
9735 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
9736 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
9737 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
9738 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
9739 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
9740 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
9741 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
9742 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
9743 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
9744 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
9746 /* If _PAGE_BIT_PRESENT is clear, we use these: */
9748 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
9749 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
9750 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
9751 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
9752 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
9753 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
9754 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
9757 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
9758 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
9760 +#elif defined(CONFIG_KMEMCHECK)
9761 #define _PAGE_NX (_AT(pteval_t, 0))
9763 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
9766 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
9768 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
9771 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
9772 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
9774 #define __PAGE_KERNEL_EXEC \
9775 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
9776 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
9778 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
9779 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
9780 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
9781 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
9782 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
9783 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
9784 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
9785 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
9786 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
9787 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
9789 * bits are combined, this will alow user to access the high address mapped
9790 * VDSO in the presence of CONFIG_COMPAT_VDSO
9792 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
9793 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
9794 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9795 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9796 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
9799 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
9801 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
9805 +#if PAGETABLE_LEVELS == 3
9806 +#include <asm-generic/pgtable-nopud.h>
9809 +#if PAGETABLE_LEVELS == 2
9810 +#include <asm-generic/pgtable-nopmd.h>
9813 +#ifndef __ASSEMBLY__
9814 #if PAGETABLE_LEVELS > 3
9815 typedef struct { pudval_t pud; } pud_t;
9817 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
9821 -#include <asm-generic/pgtable-nopud.h>
9823 static inline pudval_t native_pud_val(pud_t pud)
9825 return native_pgd_val(pud.pgd);
9826 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
9830 -#include <asm-generic/pgtable-nopmd.h>
9832 static inline pmdval_t native_pmd_val(pmd_t pmd)
9834 return native_pgd_val(pmd.pud.pgd);
9835 @@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
9837 extern pteval_t __supported_pte_mask;
9838 extern void set_nx(void);
9840 +#ifdef CONFIG_X86_32
9841 +#ifdef CONFIG_X86_PAE
9842 extern int nx_enabled;
9844 +#define nx_enabled (0)
9847 +#define nx_enabled (1)
9850 #define pgprot_writecombine pgprot_writecombine
9851 extern pgprot_t pgprot_writecombine(pgprot_t prot);
9852 diff -urNp linux-2.6.32.43/arch/x86/include/asm/processor.h linux-2.6.32.43/arch/x86/include/asm/processor.h
9853 --- linux-2.6.32.43/arch/x86/include/asm/processor.h 2011-04-22 19:16:29.000000000 -0400
9854 +++ linux-2.6.32.43/arch/x86/include/asm/processor.h 2011-05-11 18:25:15.000000000 -0400
9855 @@ -272,7 +272,7 @@ struct tss_struct {
9857 } ____cacheline_aligned;
9859 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
9860 +extern struct tss_struct init_tss[NR_CPUS];
9863 * Save the original ist values for checking stack pointers during debugging
9864 @@ -888,11 +888,18 @@ static inline void spin_lock_prefetch(co
9866 #define TASK_SIZE PAGE_OFFSET
9867 #define TASK_SIZE_MAX TASK_SIZE
9869 +#ifdef CONFIG_PAX_SEGMEXEC
9870 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
9871 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
9873 #define STACK_TOP TASK_SIZE
9874 -#define STACK_TOP_MAX STACK_TOP
9877 +#define STACK_TOP_MAX TASK_SIZE
9879 #define INIT_THREAD { \
9880 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9881 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9882 .vm86_info = NULL, \
9883 .sysenter_cs = __KERNEL_CS, \
9884 .io_bitmap_ptr = NULL, \
9885 @@ -906,7 +913,7 @@ static inline void spin_lock_prefetch(co
9887 #define INIT_TSS { \
9889 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9890 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9891 .ss0 = __KERNEL_DS, \
9892 .ss1 = __KERNEL_CS, \
9893 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
9894 @@ -917,11 +924,7 @@ static inline void spin_lock_prefetch(co
9895 extern unsigned long thread_saved_pc(struct task_struct *tsk);
9897 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
9898 -#define KSTK_TOP(info) \
9900 - unsigned long *__ptr = (unsigned long *)(info); \
9901 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
9903 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
9906 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
9907 @@ -936,7 +939,7 @@ extern unsigned long thread_saved_pc(str
9908 #define task_pt_regs(task) \
9910 struct pt_regs *__regs__; \
9911 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
9912 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
9916 @@ -946,13 +949,13 @@ extern unsigned long thread_saved_pc(str
9918 * User space process size. 47bits minus one guard page.
9920 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
9921 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
9923 /* This decides where the kernel will search for a free chunk of vm
9924 * space during mmap's.
9926 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
9927 - 0xc0000000 : 0xFFFFe000)
9928 + 0xc0000000 : 0xFFFFf000)
9930 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
9931 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
9932 @@ -963,11 +966,11 @@ extern unsigned long thread_saved_pc(str
9933 #define STACK_TOP_MAX TASK_SIZE_MAX
9935 #define INIT_THREAD { \
9936 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9937 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9940 #define INIT_TSS { \
9941 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9942 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9946 @@ -989,6 +992,10 @@ extern void start_thread(struct pt_regs
9948 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
9950 +#ifdef CONFIG_PAX_SEGMEXEC
9951 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
9954 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
9956 /* Get/set a process' ability to use the timestamp counter instruction */
9957 diff -urNp linux-2.6.32.43/arch/x86/include/asm/ptrace.h linux-2.6.32.43/arch/x86/include/asm/ptrace.h
9958 --- linux-2.6.32.43/arch/x86/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
9959 +++ linux-2.6.32.43/arch/x86/include/asm/ptrace.h 2011-04-17 15:56:46.000000000 -0400
9960 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
9964 - * user_mode_vm(regs) determines whether a register set came from user mode.
9965 + * user_mode(regs) determines whether a register set came from user mode.
9966 * This is true if V8086 mode was enabled OR if the register set was from
9967 * protected mode with RPL-3 CS value. This tricky test checks that with
9968 * one comparison. Many places in the kernel can bypass this full check
9969 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
9970 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
9973 -static inline int user_mode(struct pt_regs *regs)
9974 +static inline int user_mode_novm(struct pt_regs *regs)
9976 #ifdef CONFIG_X86_32
9977 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
9979 - return !!(regs->cs & 3);
9980 + return !!(regs->cs & SEGMENT_RPL_MASK);
9984 -static inline int user_mode_vm(struct pt_regs *regs)
9985 +static inline int user_mode(struct pt_regs *regs)
9987 #ifdef CONFIG_X86_32
9988 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
9991 - return user_mode(regs);
9992 + return user_mode_novm(regs);
9996 diff -urNp linux-2.6.32.43/arch/x86/include/asm/reboot.h linux-2.6.32.43/arch/x86/include/asm/reboot.h
9997 --- linux-2.6.32.43/arch/x86/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
9998 +++ linux-2.6.32.43/arch/x86/include/asm/reboot.h 2011-08-05 20:33:55.000000000 -0400
10002 struct machine_ops {
10003 - void (*restart)(char *cmd);
10004 - void (*halt)(void);
10005 - void (*power_off)(void);
10006 + void (* __noreturn restart)(char *cmd);
10007 + void (* __noreturn halt)(void);
10008 + void (* __noreturn power_off)(void);
10009 void (*shutdown)(void);
10010 void (*crash_shutdown)(struct pt_regs *);
10011 - void (*emergency_restart)(void);
10013 + void (* __noreturn emergency_restart)(void);
10016 extern struct machine_ops machine_ops;
10018 void native_machine_crash_shutdown(struct pt_regs *regs);
10019 void native_machine_shutdown(void);
10020 -void machine_real_restart(const unsigned char *code, int length);
10021 +void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
10023 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
10024 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
10025 diff -urNp linux-2.6.32.43/arch/x86/include/asm/rwsem.h linux-2.6.32.43/arch/x86/include/asm/rwsem.h
10026 --- linux-2.6.32.43/arch/x86/include/asm/rwsem.h 2011-03-27 14:31:47.000000000 -0400
10027 +++ linux-2.6.32.43/arch/x86/include/asm/rwsem.h 2011-04-17 15:56:46.000000000 -0400
10028 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
10030 asm volatile("# beginning down_read\n\t"
10031 LOCK_PREFIX _ASM_INC "(%1)\n\t"
10033 +#ifdef CONFIG_PAX_REFCOUNT
10035 + LOCK_PREFIX _ASM_DEC "(%1)\n\t"
10037 + _ASM_EXTABLE(0b, 0b)
10040 /* adds 0x00000001, returns the old value */
10042 " call call_rwsem_down_read_failed\n"
10043 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
10048 +#ifdef CONFIG_PAX_REFCOUNT
10052 + _ASM_EXTABLE(0b, 0b)
10056 LOCK_PREFIX " cmpxchg %2,%0\n\t"
10058 @@ -160,6 +176,14 @@ static inline void __down_write_nested(s
10059 tmp = RWSEM_ACTIVE_WRITE_BIAS;
10060 asm volatile("# beginning down_write\n\t"
10061 LOCK_PREFIX " xadd %1,(%2)\n\t"
10063 +#ifdef CONFIG_PAX_REFCOUNT
10067 + _ASM_EXTABLE(0b, 0b)
10070 /* subtract 0x0000ffff, returns the old value */
10072 /* was the count 0 before? */
10073 @@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
10074 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
10075 asm volatile("# beginning __up_read\n\t"
10076 LOCK_PREFIX " xadd %1,(%2)\n\t"
10078 +#ifdef CONFIG_PAX_REFCOUNT
10082 + _ASM_EXTABLE(0b, 0b)
10085 /* subtracts 1, returns the old value */
10087 " call call_rwsem_wake\n"
10088 @@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
10090 asm volatile("# beginning __up_write\n\t"
10091 LOCK_PREFIX " xadd %1,(%2)\n\t"
10093 +#ifdef CONFIG_PAX_REFCOUNT
10097 + _ASM_EXTABLE(0b, 0b)
10100 /* tries to transition
10101 0xffff0001 -> 0x00000000 */
10103 @@ -234,6 +274,14 @@ static inline void __downgrade_write(str
10105 asm volatile("# beginning __downgrade_write\n\t"
10106 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
10108 +#ifdef CONFIG_PAX_REFCOUNT
10110 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
10112 + _ASM_EXTABLE(0b, 0b)
10116 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
10117 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
10118 @@ -253,7 +301,15 @@ static inline void __downgrade_write(str
10119 static inline void rwsem_atomic_add(rwsem_count_t delta,
10120 struct rw_semaphore *sem)
10122 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
10123 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
10125 +#ifdef CONFIG_PAX_REFCOUNT
10127 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
10129 + _ASM_EXTABLE(0b, 0b)
10132 : "+m" (sem->count)
10135 @@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
10137 rwsem_count_t tmp = delta;
10139 - asm volatile(LOCK_PREFIX "xadd %0,%1"
10140 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
10142 +#ifdef CONFIG_PAX_REFCOUNT
10146 + _ASM_EXTABLE(0b, 0b)
10149 : "+r" (tmp), "+m" (sem->count)
10152 diff -urNp linux-2.6.32.43/arch/x86/include/asm/segment.h linux-2.6.32.43/arch/x86/include/asm/segment.h
10153 --- linux-2.6.32.43/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400
10154 +++ linux-2.6.32.43/arch/x86/include/asm/segment.h 2011-04-17 15:56:46.000000000 -0400
10156 * 26 - ESPFIX small SS
10157 * 27 - per-cpu [ offset to per-cpu data area ]
10158 * 28 - stack_canary-20 [ for stack protector ]
10161 + * 29 - PCI BIOS CS
10162 + * 30 - PCI BIOS DS
10163 * 31 - TSS for double fault handler
10165 #define GDT_ENTRY_TLS_MIN 6
10168 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
10170 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
10172 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
10174 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
10176 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
10177 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
10179 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10180 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10182 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
10184 @@ -102,6 +104,12 @@
10185 #define __KERNEL_STACK_CANARY 0
10188 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
10189 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
10191 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
10192 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
10194 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
10197 @@ -139,7 +147,7 @@
10200 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
10201 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
10202 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
10206 @@ -163,6 +171,8 @@
10207 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
10208 #define __USER32_DS __USER_DS
10210 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
10212 #define GDT_ENTRY_TSS 8 /* needs two entries */
10213 #define GDT_ENTRY_LDT 10 /* needs two entries */
10214 #define GDT_ENTRY_TLS_MIN 12
10215 @@ -183,6 +193,7 @@
10218 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
10219 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
10220 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
10221 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
10222 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
10223 diff -urNp linux-2.6.32.43/arch/x86/include/asm/smp.h linux-2.6.32.43/arch/x86/include/asm/smp.h
10224 --- linux-2.6.32.43/arch/x86/include/asm/smp.h 2011-03-27 14:31:47.000000000 -0400
10225 +++ linux-2.6.32.43/arch/x86/include/asm/smp.h 2011-08-05 20:33:55.000000000 -0400
10226 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
10227 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
10228 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
10229 DECLARE_PER_CPU(u16, cpu_llc_id);
10230 -DECLARE_PER_CPU(int, cpu_number);
10231 +DECLARE_PER_CPU(unsigned int, cpu_number);
10233 static inline struct cpumask *cpu_sibling_mask(int cpu)
10235 @@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
10236 DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
10238 /* Static state in head.S used to set up a CPU */
10241 - unsigned short ss;
10243 +extern unsigned long stack_start; /* Initial stack pointer address */
10246 void (*smp_prepare_boot_cpu)(void);
10247 @@ -60,7 +57,7 @@ struct smp_ops {
10249 void (*send_call_func_ipi)(const struct cpumask *mask);
10250 void (*send_call_func_single_ipi)(int cpu);
10254 /* Globals due to paravirt */
10255 extern void set_cpu_sibling_map(int cpu);
10256 @@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
10257 extern int safe_smp_processor_id(void);
10259 #elif defined(CONFIG_X86_64_SMP)
10260 -#define raw_smp_processor_id() (percpu_read(cpu_number))
10262 -#define stack_smp_processor_id() \
10264 - struct thread_info *ti; \
10265 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
10268 +#define raw_smp_processor_id() (percpu_read(cpu_number))
10269 +#define stack_smp_processor_id() raw_smp_processor_id()
10270 #define safe_smp_processor_id() smp_processor_id()
10273 diff -urNp linux-2.6.32.43/arch/x86/include/asm/spinlock.h linux-2.6.32.43/arch/x86/include/asm/spinlock.h
10274 --- linux-2.6.32.43/arch/x86/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
10275 +++ linux-2.6.32.43/arch/x86/include/asm/spinlock.h 2011-04-17 15:56:46.000000000 -0400
10276 @@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
10277 static inline void __raw_read_lock(raw_rwlock_t *rw)
10279 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
10281 +#ifdef CONFIG_PAX_REFCOUNT
10283 + LOCK_PREFIX " addl $1,(%0)\n"
10285 + _ASM_EXTABLE(0b, 0b)
10289 "call __read_lock_failed\n\t"
10291 @@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
10292 static inline void __raw_write_lock(raw_rwlock_t *rw)
10294 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
10296 +#ifdef CONFIG_PAX_REFCOUNT
10298 + LOCK_PREFIX " addl %1,(%0)\n"
10300 + _ASM_EXTABLE(0b, 0b)
10304 "call __write_lock_failed\n\t"
10306 @@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10308 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10310 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10311 + asm volatile(LOCK_PREFIX "incl %0\n"
10313 +#ifdef CONFIG_PAX_REFCOUNT
10315 + LOCK_PREFIX "decl %0\n"
10317 + _ASM_EXTABLE(0b, 0b)
10320 + :"+m" (rw->lock) : : "memory");
10323 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10325 - asm volatile(LOCK_PREFIX "addl %1, %0"
10326 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
10328 +#ifdef CONFIG_PAX_REFCOUNT
10330 + LOCK_PREFIX "subl %1, %0\n"
10332 + _ASM_EXTABLE(0b, 0b)
10335 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10338 diff -urNp linux-2.6.32.43/arch/x86/include/asm/stackprotector.h linux-2.6.32.43/arch/x86/include/asm/stackprotector.h
10339 --- linux-2.6.32.43/arch/x86/include/asm/stackprotector.h 2011-03-27 14:31:47.000000000 -0400
10340 +++ linux-2.6.32.43/arch/x86/include/asm/stackprotector.h 2011-07-06 19:53:33.000000000 -0400
10342 * head_32 for boot CPU and setup_per_cpu_areas() for others.
10344 #define GDT_STACK_CANARY_INIT \
10345 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
10346 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
10349 * Initialize the stackprotector canary value.
10350 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10352 static inline void load_stack_canary_segment(void)
10354 -#ifdef CONFIG_X86_32
10355 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10356 asm volatile ("mov %0, %%gs" : : "r" (0));
10359 diff -urNp linux-2.6.32.43/arch/x86/include/asm/system.h linux-2.6.32.43/arch/x86/include/asm/system.h
10360 --- linux-2.6.32.43/arch/x86/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
10361 +++ linux-2.6.32.43/arch/x86/include/asm/system.h 2011-05-22 23:02:03.000000000 -0400
10362 @@ -132,7 +132,7 @@ do { \
10363 "thread_return:\n\t" \
10364 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10366 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
10367 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10368 "movq %%rax,%%rdi\n\t" \
10369 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10370 "jnz ret_from_fork\n\t" \
10371 @@ -143,7 +143,7 @@ do { \
10372 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10373 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10374 [_tif_fork] "i" (_TIF_FORK), \
10375 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
10376 + [thread_info] "m" (per_cpu_var(current_tinfo)), \
10377 [current_task] "m" (per_cpu_var(current_task)) \
10378 __switch_canary_iparam \
10379 : "memory", "cc" __EXTRA_CLOBBER)
10380 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10382 unsigned long __limit;
10383 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10384 - return __limit + 1;
10388 static inline void native_clts(void)
10389 @@ -340,12 +340,12 @@ void enable_hlt(void);
10391 void cpu_idle_wait(void);
10393 -extern unsigned long arch_align_stack(unsigned long sp);
10394 +#define arch_align_stack(x) ((x) & ~0xfUL)
10395 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10397 void default_idle(void);
10399 -void stop_this_cpu(void *dummy);
10400 +void stop_this_cpu(void *dummy) __noreturn;
10403 * Force strict CPU ordering.
10404 diff -urNp linux-2.6.32.43/arch/x86/include/asm/thread_info.h linux-2.6.32.43/arch/x86/include/asm/thread_info.h
10405 --- linux-2.6.32.43/arch/x86/include/asm/thread_info.h 2011-03-27 14:31:47.000000000 -0400
10406 +++ linux-2.6.32.43/arch/x86/include/asm/thread_info.h 2011-05-17 19:26:34.000000000 -0400
10408 #include <linux/compiler.h>
10409 #include <asm/page.h>
10410 #include <asm/types.h>
10411 +#include <asm/percpu.h>
10414 * low level task data that entry.S needs immediate access to
10415 @@ -24,7 +25,6 @@ struct exec_domain;
10416 #include <asm/atomic.h>
10418 struct thread_info {
10419 - struct task_struct *task; /* main task structure */
10420 struct exec_domain *exec_domain; /* execution domain */
10421 __u32 flags; /* low level flags */
10422 __u32 status; /* thread synchronous flags */
10423 @@ -34,18 +34,12 @@ struct thread_info {
10424 mm_segment_t addr_limit;
10425 struct restart_block restart_block;
10426 void __user *sysenter_return;
10427 -#ifdef CONFIG_X86_32
10428 - unsigned long previous_esp; /* ESP of the previous stack in
10429 - case of nested (IRQ) stacks
10431 - __u8 supervisor_stack[0];
10433 + unsigned long lowest_stack;
10437 -#define INIT_THREAD_INFO(tsk) \
10438 +#define INIT_THREAD_INFO \
10441 .exec_domain = &default_exec_domain, \
10444 @@ -56,7 +50,7 @@ struct thread_info {
10448 -#define init_thread_info (init_thread_union.thread_info)
10449 +#define init_thread_info (init_thread_union.stack)
10450 #define init_stack (init_thread_union.stack)
10452 #else /* !__ASSEMBLY__ */
10453 @@ -163,6 +157,23 @@ struct thread_info {
10454 #define alloc_thread_info(tsk) \
10455 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10457 +#ifdef __ASSEMBLY__
10458 +/* how to get the thread information struct from ASM */
10459 +#define GET_THREAD_INFO(reg) \
10460 + mov PER_CPU_VAR(current_tinfo), reg
10462 +/* use this one if reg already contains %esp */
10463 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10465 +/* how to get the thread information struct from C */
10466 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10468 +static __always_inline struct thread_info *current_thread_info(void)
10470 + return percpu_read_stable(current_tinfo);
10474 #ifdef CONFIG_X86_32
10476 #define STACK_WARN (THREAD_SIZE/8)
10477 @@ -173,35 +184,13 @@ struct thread_info {
10479 #ifndef __ASSEMBLY__
10482 /* how to get the current stack pointer from C */
10483 register unsigned long current_stack_pointer asm("esp") __used;
10485 -/* how to get the thread information struct from C */
10486 -static inline struct thread_info *current_thread_info(void)
10488 - return (struct thread_info *)
10489 - (current_stack_pointer & ~(THREAD_SIZE - 1));
10492 -#else /* !__ASSEMBLY__ */
10494 -/* how to get the thread information struct from ASM */
10495 -#define GET_THREAD_INFO(reg) \
10496 - movl $-THREAD_SIZE, reg; \
10499 -/* use this one if reg already contains %esp */
10500 -#define GET_THREAD_INFO_WITH_ESP(reg) \
10501 - andl $-THREAD_SIZE, reg
10507 -#include <asm/percpu.h>
10508 -#define KERNEL_STACK_OFFSET (5*8)
10511 * macros/functions for gaining access to the thread information structure
10512 * preempt_count needs to be 1 initially, until the scheduler is functional.
10513 @@ -209,21 +198,8 @@ static inline struct thread_info *curren
10514 #ifndef __ASSEMBLY__
10515 DECLARE_PER_CPU(unsigned long, kernel_stack);
10517 -static inline struct thread_info *current_thread_info(void)
10519 - struct thread_info *ti;
10520 - ti = (void *)(percpu_read_stable(kernel_stack) +
10521 - KERNEL_STACK_OFFSET - THREAD_SIZE);
10525 -#else /* !__ASSEMBLY__ */
10527 -/* how to get the thread information struct from ASM */
10528 -#define GET_THREAD_INFO(reg) \
10529 - movq PER_CPU_VAR(kernel_stack),reg ; \
10530 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10532 +/* how to get the current stack pointer from C */
10533 +register unsigned long current_stack_pointer asm("rsp") __used;
10536 #endif /* !X86_32 */
10537 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10538 extern void free_thread_info(struct thread_info *ti);
10539 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
10540 #define arch_task_cache_init arch_task_cache_init
10542 +#define __HAVE_THREAD_FUNCTIONS
10543 +#define task_thread_info(task) (&(task)->tinfo)
10544 +#define task_stack_page(task) ((task)->stack)
10545 +#define setup_thread_stack(p, org) do {} while (0)
10546 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
10548 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
10549 +extern struct task_struct *alloc_task_struct(void);
10550 +extern void free_task_struct(struct task_struct *);
10553 #endif /* _ASM_X86_THREAD_INFO_H */
10554 diff -urNp linux-2.6.32.43/arch/x86/include/asm/uaccess_32.h linux-2.6.32.43/arch/x86/include/asm/uaccess_32.h
10555 --- linux-2.6.32.43/arch/x86/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
10556 +++ linux-2.6.32.43/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:46:57.000000000 -0400
10557 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
10558 static __always_inline unsigned long __must_check
10559 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
10561 + pax_track_stack();
10566 if (__builtin_constant_p(n)) {
10569 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
10573 + if (!__builtin_constant_p(n))
10574 + check_object_size(from, n, true);
10575 return __copy_to_user_ll(to, from, n);
10578 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
10579 __copy_to_user(void __user *to, const void *from, unsigned long n)
10583 return __copy_to_user_inatomic(to, from, n);
10586 static __always_inline unsigned long
10587 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
10592 /* Avoid zeroing the tail if the copy fails..
10593 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
10594 * but as the zeroing behaviour is only significant when n is not
10595 @@ -138,6 +149,12 @@ static __always_inline unsigned long
10596 __copy_from_user(void *to, const void __user *from, unsigned long n)
10600 + pax_track_stack();
10605 if (__builtin_constant_p(n)) {
10608 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
10612 + if (!__builtin_constant_p(n))
10613 + check_object_size(to, n, false);
10614 return __copy_from_user_ll(to, from, n);
10617 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
10618 const void __user *from, unsigned long n)
10625 if (__builtin_constant_p(n)) {
10628 @@ -182,14 +205,62 @@ static __always_inline unsigned long
10629 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
10632 - return __copy_from_user_ll_nocache_nozero(to, from, n);
10636 + return __copy_from_user_ll_nocache_nozero(to, from, n);
10640 + * copy_to_user: - Copy a block of data into user space.
10641 + * @to: Destination address, in user space.
10642 + * @from: Source address, in kernel space.
10643 + * @n: Number of bytes to copy.
10645 + * Context: User context only. This function may sleep.
10647 + * Copy data from kernel space to user space.
10649 + * Returns number of bytes that could not be copied.
10650 + * On success, this will be zero.
10652 +static __always_inline unsigned long __must_check
10653 +copy_to_user(void __user *to, const void *from, unsigned long n)
10655 + if (access_ok(VERIFY_WRITE, to, n))
10656 + n = __copy_to_user(to, from, n);
10661 + * copy_from_user: - Copy a block of data from user space.
10662 + * @to: Destination address, in kernel space.
10663 + * @from: Source address, in user space.
10664 + * @n: Number of bytes to copy.
10666 + * Context: User context only. This function may sleep.
10668 + * Copy data from user space to kernel space.
10670 + * Returns number of bytes that could not be copied.
10671 + * On success, this will be zero.
10673 + * If some data could not be copied, this function will pad the copied
10674 + * data to the requested size using zero bytes.
10676 +static __always_inline unsigned long __must_check
10677 +copy_from_user(void *to, const void __user *from, unsigned long n)
10679 + if (access_ok(VERIFY_READ, from, n))
10680 + n = __copy_from_user(to, from, n);
10681 + else if ((long)n > 0) {
10682 + if (!__builtin_constant_p(n))
10683 + check_object_size(to, n, false);
10684 + memset(to, 0, n);
10689 -unsigned long __must_check copy_to_user(void __user *to,
10690 - const void *from, unsigned long n);
10691 -unsigned long __must_check copy_from_user(void *to,
10692 - const void __user *from,
10693 - unsigned long n);
10694 long __must_check strncpy_from_user(char *dst, const char __user *src,
10696 long __must_check __strncpy_from_user(char *dst,
10697 diff -urNp linux-2.6.32.43/arch/x86/include/asm/uaccess_64.h linux-2.6.32.43/arch/x86/include/asm/uaccess_64.h
10698 --- linux-2.6.32.43/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
10699 +++ linux-2.6.32.43/arch/x86/include/asm/uaccess_64.h 2011-05-16 21:46:57.000000000 -0400
10701 #include <linux/prefetch.h>
10702 #include <linux/lockdep.h>
10703 #include <asm/page.h>
10704 +#include <asm/pgtable.h>
10706 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
10709 * Copy To/From Userspace
10710 @@ -19,113 +22,203 @@ __must_check unsigned long
10711 copy_user_generic(void *to, const void *from, unsigned len);
10713 __must_check unsigned long
10714 -copy_to_user(void __user *to, const void *from, unsigned len);
10715 -__must_check unsigned long
10716 -copy_from_user(void *to, const void __user *from, unsigned len);
10717 -__must_check unsigned long
10718 copy_in_user(void __user *to, const void __user *from, unsigned len);
10720 static __always_inline __must_check
10721 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
10722 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
10725 + unsigned ret = 0;
10728 - if (!__builtin_constant_p(size))
10729 - return copy_user_generic(dst, (__force void *)src, size);
10731 + if ((int)size < 0)
10734 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10735 + if (!__access_ok(VERIFY_READ, src, size))
10739 + if (!__builtin_constant_p(size)) {
10740 + check_object_size(dst, size, false);
10742 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10743 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10744 + src += PAX_USER_SHADOW_BASE;
10747 + return copy_user_generic(dst, (__force const void *)src, size);
10750 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
10751 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
10752 ret, "b", "b", "=q", 1);
10754 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
10755 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
10756 ret, "w", "w", "=r", 2);
10758 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
10759 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
10760 ret, "l", "k", "=r", 4);
10762 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
10763 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10764 ret, "q", "", "=r", 8);
10767 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10768 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10769 ret, "q", "", "=r", 10);
10772 __get_user_asm(*(u16 *)(8 + (char *)dst),
10773 - (u16 __user *)(8 + (char __user *)src),
10774 + (const u16 __user *)(8 + (const char __user *)src),
10775 ret, "w", "w", "=r", 2);
10778 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10779 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10780 ret, "q", "", "=r", 16);
10783 __get_user_asm(*(u64 *)(8 + (char *)dst),
10784 - (u64 __user *)(8 + (char __user *)src),
10785 + (const u64 __user *)(8 + (const char __user *)src),
10786 ret, "q", "", "=r", 8);
10789 - return copy_user_generic(dst, (__force void *)src, size);
10791 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10792 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10793 + src += PAX_USER_SHADOW_BASE;
10796 + return copy_user_generic(dst, (__force const void *)src, size);
10800 static __always_inline __must_check
10801 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
10802 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
10805 + unsigned ret = 0;
10808 - if (!__builtin_constant_p(size))
10810 + pax_track_stack();
10812 + if ((int)size < 0)
10815 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10816 + if (!__access_ok(VERIFY_WRITE, dst, size))
10820 + if (!__builtin_constant_p(size)) {
10821 + check_object_size(src, size, true);
10823 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10824 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10825 + dst += PAX_USER_SHADOW_BASE;
10828 return copy_user_generic((__force void *)dst, src, size);
10831 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
10832 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
10833 ret, "b", "b", "iq", 1);
10835 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
10836 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
10837 ret, "w", "w", "ir", 2);
10839 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
10840 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
10841 ret, "l", "k", "ir", 4);
10843 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
10844 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10845 ret, "q", "", "er", 8);
10848 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10849 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10850 ret, "q", "", "er", 10);
10853 asm("":::"memory");
10854 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
10855 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
10856 ret, "w", "w", "ir", 2);
10859 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10860 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10861 ret, "q", "", "er", 16);
10864 asm("":::"memory");
10865 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
10866 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
10867 ret, "q", "", "er", 8);
10871 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10872 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10873 + dst += PAX_USER_SHADOW_BASE;
10876 return copy_user_generic((__force void *)dst, src, size);
10880 static __always_inline __must_check
10881 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10882 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
10884 + if (access_ok(VERIFY_WRITE, to, len))
10885 + len = __copy_to_user(to, from, len);
10889 +static __always_inline __must_check
10890 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
10892 + if ((int)len < 0)
10895 + if (access_ok(VERIFY_READ, from, len))
10896 + len = __copy_from_user(to, from, len);
10897 + else if ((int)len > 0) {
10898 + if (!__builtin_constant_p(len))
10899 + check_object_size(to, len, false);
10900 + memset(to, 0, len);
10905 +static __always_inline __must_check
10906 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10909 + unsigned ret = 0;
10912 - if (!__builtin_constant_p(size))
10914 + pax_track_stack();
10916 + if ((int)size < 0)
10919 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10920 + if (!__access_ok(VERIFY_READ, src, size))
10922 + if (!__access_ok(VERIFY_WRITE, dst, size))
10926 + if (!__builtin_constant_p(size)) {
10928 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10929 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10930 + src += PAX_USER_SHADOW_BASE;
10931 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10932 + dst += PAX_USER_SHADOW_BASE;
10935 return copy_user_generic((__force void *)dst,
10936 - (__force void *)src, size);
10937 + (__force const void *)src, size);
10942 - __get_user_asm(tmp, (u8 __user *)src,
10943 + __get_user_asm(tmp, (const u8 __user *)src,
10944 ret, "b", "b", "=q", 1);
10946 __put_user_asm(tmp, (u8 __user *)dst,
10947 @@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
10951 - __get_user_asm(tmp, (u16 __user *)src,
10952 + __get_user_asm(tmp, (const u16 __user *)src,
10953 ret, "w", "w", "=r", 2);
10955 __put_user_asm(tmp, (u16 __user *)dst,
10956 @@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
10960 - __get_user_asm(tmp, (u32 __user *)src,
10961 + __get_user_asm(tmp, (const u32 __user *)src,
10962 ret, "l", "k", "=r", 4);
10964 __put_user_asm(tmp, (u32 __user *)dst,
10965 @@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
10969 - __get_user_asm(tmp, (u64 __user *)src,
10970 + __get_user_asm(tmp, (const u64 __user *)src,
10971 ret, "q", "", "=r", 8);
10973 __put_user_asm(tmp, (u64 __user *)dst,
10974 @@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
10979 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10980 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10981 + src += PAX_USER_SHADOW_BASE;
10982 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10983 + dst += PAX_USER_SHADOW_BASE;
10986 return copy_user_generic((__force void *)dst,
10987 - (__force void *)src, size);
10988 + (__force const void *)src, size);
10992 @@ -176,33 +277,75 @@ __must_check long strlen_user(const char
10993 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
10994 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
10996 -__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
10998 +static __must_check __always_inline unsigned long
10999 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
11001 + pax_track_stack();
11003 + if ((int)size < 0)
11006 -static __must_check __always_inline int
11007 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11008 + if (!__access_ok(VERIFY_READ, src, size))
11011 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11012 + src += PAX_USER_SHADOW_BASE;
11015 + return copy_user_generic(dst, (__force const void *)src, size);
11018 +static __must_check __always_inline unsigned long
11019 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
11021 + if ((int)size < 0)
11024 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11025 + if (!__access_ok(VERIFY_WRITE, dst, size))
11028 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11029 + dst += PAX_USER_SHADOW_BASE;
11032 return copy_user_generic((__force void *)dst, src, size);
11035 -extern long __copy_user_nocache(void *dst, const void __user *src,
11036 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
11037 unsigned size, int zerorest);
11040 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11041 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11045 + if ((int)size < 0)
11048 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11049 + if (!__access_ok(VERIFY_READ, src, size))
11053 return __copy_user_nocache(dst, src, size, 1);
11057 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11058 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11061 + if ((int)size < 0)
11064 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11065 + if (!__access_ok(VERIFY_READ, src, size))
11069 return __copy_user_nocache(dst, src, size, 0);
11073 +extern unsigned long
11074 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
11076 #endif /* _ASM_X86_UACCESS_64_H */
11077 diff -urNp linux-2.6.32.43/arch/x86/include/asm/uaccess.h linux-2.6.32.43/arch/x86/include/asm/uaccess.h
11078 --- linux-2.6.32.43/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400
11079 +++ linux-2.6.32.43/arch/x86/include/asm/uaccess.h 2011-06-25 12:56:37.000000000 -0400
11081 #include <linux/thread_info.h>
11082 #include <linux/prefetch.h>
11083 #include <linux/string.h>
11084 +#include <linux/sched.h>
11085 #include <asm/asm.h>
11086 #include <asm/page.h>
11088 #define VERIFY_READ 0
11089 #define VERIFY_WRITE 1
11091 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
11094 * The fs value determines whether argument validity checking should be
11095 * performed or not. If get_fs() == USER_DS, checking is performed, with
11098 #define get_ds() (KERNEL_DS)
11099 #define get_fs() (current_thread_info()->addr_limit)
11100 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11101 +void __set_fs(mm_segment_t x);
11102 +void set_fs(mm_segment_t x);
11104 #define set_fs(x) (current_thread_info()->addr_limit = (x))
11107 #define segment_eq(a, b) ((a).seg == (b).seg)
11110 * checks that the pointer is in the user space range - after calling
11111 * this function, memory access functions may still return -EFAULT.
11113 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11114 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11115 +#define access_ok(type, addr, size) \
11117 + long __size = size; \
11118 + unsigned long __addr = (unsigned long)addr; \
11119 + unsigned long __addr_ao = __addr & PAGE_MASK; \
11120 + unsigned long __end_ao = __addr + __size - 1; \
11121 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11122 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11123 + while(__addr_ao <= __end_ao) { \
11125 + __addr_ao += PAGE_SIZE; \
11126 + if (__size > PAGE_SIZE) \
11127 + cond_resched(); \
11128 + if (__get_user(__c_ao, (char __user *)__addr)) \
11130 + if (type != VERIFY_WRITE) { \
11131 + __addr = __addr_ao; \
11134 + if (__put_user(__c_ao, (char __user *)__addr)) \
11136 + __addr = __addr_ao; \
11143 * The exception table consists of pairs of addresses: the first is the
11144 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11145 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11146 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11149 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11150 +#define __copyuser_seg "gs;"
11151 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11152 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11154 +#define __copyuser_seg
11155 +#define __COPYUSER_SET_ES
11156 +#define __COPYUSER_RESTORE_ES
11159 #ifdef CONFIG_X86_32
11160 #define __put_user_asm_u64(x, addr, err, errret) \
11161 - asm volatile("1: movl %%eax,0(%2)\n" \
11162 - "2: movl %%edx,4(%2)\n" \
11163 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11164 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11166 ".section .fixup,\"ax\"\n" \
11167 "4: movl %3,%0\n" \
11168 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11169 : "A" (x), "r" (addr), "i" (errret), "0" (err))
11171 #define __put_user_asm_ex_u64(x, addr) \
11172 - asm volatile("1: movl %%eax,0(%1)\n" \
11173 - "2: movl %%edx,4(%1)\n" \
11174 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11175 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11177 _ASM_EXTABLE(1b, 2b - 1b) \
11178 _ASM_EXTABLE(2b, 3b - 2b) \
11179 @@ -374,7 +416,7 @@ do { \
11182 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11183 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11184 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11186 ".section .fixup,\"ax\"\n" \
11188 @@ -382,7 +424,7 @@ do { \
11191 _ASM_EXTABLE(1b, 3b) \
11192 - : "=r" (err), ltype(x) \
11193 + : "=r" (err), ltype (x) \
11194 : "m" (__m(addr)), "i" (errret), "0" (err))
11196 #define __get_user_size_ex(x, ptr, size) \
11197 @@ -407,7 +449,7 @@ do { \
11200 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11201 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11202 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11204 _ASM_EXTABLE(1b, 2b - 1b) \
11205 : ltype(x) : "m" (__m(addr)))
11206 @@ -424,13 +466,24 @@ do { \
11208 unsigned long __gu_val; \
11209 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11210 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
11211 + (x) = (__typeof__(*(ptr)))__gu_val; \
11215 /* FIXME: this hack is definitely wrong -AK */
11216 struct __large_struct { unsigned long buf[100]; };
11217 -#define __m(x) (*(struct __large_struct __user *)(x))
11218 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11219 +#define ____m(x) \
11221 + unsigned long ____x = (unsigned long)(x); \
11222 + if (____x < PAX_USER_SHADOW_BASE) \
11223 + ____x += PAX_USER_SHADOW_BASE; \
11224 + (void __user *)____x; \
11227 +#define ____m(x) (x)
11229 +#define __m(x) (*(struct __large_struct __user *)____m(x))
11232 * Tell gcc we read from memory instead of writing: this is because
11233 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11236 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11237 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11238 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11240 ".section .fixup,\"ax\"\n" \
11242 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11244 _ASM_EXTABLE(1b, 3b) \
11246 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11247 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11249 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11250 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11251 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11253 _ASM_EXTABLE(1b, 2b - 1b) \
11254 : : ltype(x), "m" (__m(addr)))
11255 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11256 * On error, the variable @x is set to zero.
11259 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11260 +#define __get_user(x, ptr) get_user((x), (ptr))
11262 #define __get_user(x, ptr) \
11263 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11267 * __put_user: - Write a simple value into user space, with less checking.
11268 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11269 * Returns zero on success, or -EFAULT on error.
11272 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11273 +#define __put_user(x, ptr) put_user((x), (ptr))
11275 #define __put_user(x, ptr) \
11276 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
11279 #define __get_user_unaligned __get_user
11280 #define __put_user_unaligned __put_user
11281 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
11282 #define get_user_ex(x, ptr) do { \
11283 unsigned long __gue_val; \
11284 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
11285 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
11286 + (x) = (__typeof__(*(ptr)))__gue_val; \
11289 #ifdef CONFIG_X86_WP_WORKS_OK
11290 @@ -567,6 +628,7 @@ extern struct movsl_mask {
11292 #define ARCH_HAS_NOCACHE_UACCESS 1
11294 +#define ARCH_HAS_SORT_EXTABLE
11295 #ifdef CONFIG_X86_32
11296 # include "uaccess_32.h"
11298 diff -urNp linux-2.6.32.43/arch/x86/include/asm/vgtod.h linux-2.6.32.43/arch/x86/include/asm/vgtod.h
11299 --- linux-2.6.32.43/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400
11300 +++ linux-2.6.32.43/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400
11301 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
11302 int sysctl_enabled;
11303 struct timezone sys_tz;
11304 struct { /* extract of a clocksource struct */
11306 cycle_t (*vread)(void);
11307 cycle_t cycle_last;
11309 diff -urNp linux-2.6.32.43/arch/x86/include/asm/vmi.h linux-2.6.32.43/arch/x86/include/asm/vmi.h
11310 --- linux-2.6.32.43/arch/x86/include/asm/vmi.h 2011-03-27 14:31:47.000000000 -0400
11311 +++ linux-2.6.32.43/arch/x86/include/asm/vmi.h 2011-04-17 15:56:46.000000000 -0400
11312 @@ -191,6 +191,7 @@ struct vrom_header {
11313 u8 reserved[96]; /* Reserved for headers */
11314 char vmi_init[8]; /* VMI_Init jump point */
11315 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11316 + char rom_data[8048]; /* rest of the option ROM */
11317 } __attribute__((packed));
11319 struct pnp_header {
11320 diff -urNp linux-2.6.32.43/arch/x86/include/asm/vmi_time.h linux-2.6.32.43/arch/x86/include/asm/vmi_time.h
11321 --- linux-2.6.32.43/arch/x86/include/asm/vmi_time.h 2011-03-27 14:31:47.000000000 -0400
11322 +++ linux-2.6.32.43/arch/x86/include/asm/vmi_time.h 2011-08-05 20:33:55.000000000 -0400
11323 @@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
11324 int (*wallclock_updated)(void);
11325 void (*set_alarm)(u32 flags, u64 expiry, u64 period);
11326 void (*cancel_alarm)(u32 flags);
11328 +} __no_const vmi_timer_ops;
11331 extern void __init vmi_time_init(void);
11332 diff -urNp linux-2.6.32.43/arch/x86/include/asm/vsyscall.h linux-2.6.32.43/arch/x86/include/asm/vsyscall.h
11333 --- linux-2.6.32.43/arch/x86/include/asm/vsyscall.h 2011-03-27 14:31:47.000000000 -0400
11334 +++ linux-2.6.32.43/arch/x86/include/asm/vsyscall.h 2011-04-17 15:56:46.000000000 -0400
11335 @@ -15,9 +15,10 @@ enum vsyscall_num {
11338 #include <linux/seqlock.h>
11339 +#include <linux/getcpu.h>
11340 +#include <linux/time.h>
11342 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11343 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11345 /* Definitions for CONFIG_GENERIC_TIME definitions */
11346 #define __section_vsyscall_gtod_data __attribute__ \
11347 @@ -31,7 +32,6 @@ enum vsyscall_num {
11348 #define VGETCPU_LSL 2
11350 extern int __vgetcpu_mode;
11351 -extern volatile unsigned long __jiffies;
11353 /* kernel space (writeable) */
11354 extern int vgetcpu_mode;
11355 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11357 extern void map_vsyscall(void);
11359 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11360 +extern time_t vtime(time_t *t);
11361 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11362 #endif /* __KERNEL__ */
11364 #endif /* _ASM_X86_VSYSCALL_H */
11365 diff -urNp linux-2.6.32.43/arch/x86/include/asm/x86_init.h linux-2.6.32.43/arch/x86/include/asm/x86_init.h
11366 --- linux-2.6.32.43/arch/x86/include/asm/x86_init.h 2011-03-27 14:31:47.000000000 -0400
11367 +++ linux-2.6.32.43/arch/x86/include/asm/x86_init.h 2011-08-05 20:33:55.000000000 -0400
11368 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
11369 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
11370 void (*find_smp_config)(unsigned int reserve);
11371 void (*get_smp_config)(unsigned int early);
11376 * struct x86_init_resources - platform specific resource related ops
11377 @@ -42,7 +42,7 @@ struct x86_init_resources {
11378 void (*probe_roms)(void);
11379 void (*reserve_resources)(void);
11380 char *(*memory_setup)(void);
11385 * struct x86_init_irqs - platform specific interrupt setup
11386 @@ -55,7 +55,7 @@ struct x86_init_irqs {
11387 void (*pre_vector_init)(void);
11388 void (*intr_init)(void);
11389 void (*trap_init)(void);
11394 * struct x86_init_oem - oem platform specific customizing functions
11395 @@ -65,7 +65,7 @@ struct x86_init_irqs {
11396 struct x86_init_oem {
11397 void (*arch_setup)(void);
11398 void (*banner)(void);
11403 * struct x86_init_paging - platform specific paging functions
11404 @@ -75,7 +75,7 @@ struct x86_init_oem {
11405 struct x86_init_paging {
11406 void (*pagetable_setup_start)(pgd_t *base);
11407 void (*pagetable_setup_done)(pgd_t *base);
11412 * struct x86_init_timers - platform specific timer setup
11413 @@ -88,7 +88,7 @@ struct x86_init_timers {
11414 void (*setup_percpu_clockev)(void);
11415 void (*tsc_pre_init)(void);
11416 void (*timer_init)(void);
11421 * struct x86_init_ops - functions for platform specific setup
11422 @@ -101,7 +101,7 @@ struct x86_init_ops {
11423 struct x86_init_oem oem;
11424 struct x86_init_paging paging;
11425 struct x86_init_timers timers;
11430 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
11431 @@ -109,7 +109,7 @@ struct x86_init_ops {
11433 struct x86_cpuinit_ops {
11434 void (*setup_percpu_clockev)(void);
11439 * struct x86_platform_ops - platform specific runtime functions
11440 @@ -121,7 +121,7 @@ struct x86_platform_ops {
11441 unsigned long (*calibrate_tsc)(void);
11442 unsigned long (*get_wallclock)(void);
11443 int (*set_wallclock)(unsigned long nowtime);
11447 extern struct x86_init_ops x86_init;
11448 extern struct x86_cpuinit_ops x86_cpuinit;
11449 diff -urNp linux-2.6.32.43/arch/x86/include/asm/xsave.h linux-2.6.32.43/arch/x86/include/asm/xsave.h
11450 --- linux-2.6.32.43/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400
11451 +++ linux-2.6.32.43/arch/x86/include/asm/xsave.h 2011-04-17 15:56:46.000000000 -0400
11452 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11453 static inline int xsave_user(struct xsave_struct __user *buf)
11457 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11458 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11459 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11462 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11464 ".section .fixup,\"ax\"\n"
11465 @@ -82,6 +88,11 @@ static inline int xrestore_user(struct x
11467 u32 hmask = mask >> 32;
11469 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11470 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11471 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11474 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11476 ".section .fixup,\"ax\"\n"
11477 diff -urNp linux-2.6.32.43/arch/x86/Kconfig linux-2.6.32.43/arch/x86/Kconfig
11478 --- linux-2.6.32.43/arch/x86/Kconfig 2011-03-27 14:31:47.000000000 -0400
11479 +++ linux-2.6.32.43/arch/x86/Kconfig 2011-04-17 15:56:46.000000000 -0400
11480 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11482 config X86_32_LAZY_GS
11484 - depends on X86_32 && !CC_STACKPROTECTOR
11485 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11487 config KTIME_SCALAR
11489 @@ -1008,7 +1008,7 @@ choice
11493 - depends on !X86_NUMAQ
11494 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11496 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11497 However, the address space of 32-bit x86 processors is only 4
11498 @@ -1045,7 +1045,7 @@ config NOHIGHMEM
11502 - depends on !X86_NUMAQ
11503 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11505 Select this if you have a 32-bit processor and between 1 and 4
11506 gigabytes of physical RAM.
11507 @@ -1099,7 +1099,7 @@ config PAGE_OFFSET
11509 default 0xB0000000 if VMSPLIT_3G_OPT
11510 default 0x80000000 if VMSPLIT_2G
11511 - default 0x78000000 if VMSPLIT_2G_OPT
11512 + default 0x70000000 if VMSPLIT_2G_OPT
11513 default 0x40000000 if VMSPLIT_1G
11516 @@ -1430,7 +1430,7 @@ config ARCH_USES_PG_UNCACHED
11519 bool "EFI runtime service support"
11521 + depends on ACPI && !PAX_KERNEXEC
11523 This enables the kernel to use EFI runtime services that are
11524 available (such as the EFI variable services).
11525 @@ -1460,6 +1460,7 @@ config SECCOMP
11527 config CC_STACKPROTECTOR
11528 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
11529 + depends on X86_64 || !PAX_MEMORY_UDEREF
11531 This option turns on the -fstack-protector GCC feature. This
11532 feature puts, at the beginning of functions, a canary value on
11533 @@ -1517,6 +1518,7 @@ config KEXEC_JUMP
11534 config PHYSICAL_START
11535 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
11536 default "0x1000000"
11537 + range 0x400000 0x40000000
11539 This gives the physical address where the kernel is loaded.
11541 @@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
11543 prompt "Alignment value to which kernel should be aligned" if X86_32
11544 default "0x1000000"
11545 + range 0x400000 0x1000000 if PAX_KERNEXEC
11546 range 0x2000 0x1000000
11548 This value puts the alignment restrictions on physical address
11549 @@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
11550 Say N if you want to disable CPU hotplug.
11555 prompt "Compat VDSO support"
11556 depends on X86_32 || IA32_EMULATION
11557 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
11559 Map the 32-bit VDSO to the predictable old-style address too.
11561 diff -urNp linux-2.6.32.43/arch/x86/Kconfig.cpu linux-2.6.32.43/arch/x86/Kconfig.cpu
11562 --- linux-2.6.32.43/arch/x86/Kconfig.cpu 2011-03-27 14:31:47.000000000 -0400
11563 +++ linux-2.6.32.43/arch/x86/Kconfig.cpu 2011-04-17 15:56:46.000000000 -0400
11564 @@ -340,7 +340,7 @@ config X86_PPRO_FENCE
11566 config X86_F00F_BUG
11568 - depends on M586MMX || M586TSC || M586 || M486 || M386
11569 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
11571 config X86_WP_WORKS_OK
11573 @@ -360,7 +360,7 @@ config X86_POPAD_OK
11575 config X86_ALIGNMENT_16
11577 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11578 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11580 config X86_INTEL_USERCOPY
11582 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
11586 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11587 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11589 config X86_MINIMUM_CPU_FAMILY
11591 diff -urNp linux-2.6.32.43/arch/x86/Kconfig.debug linux-2.6.32.43/arch/x86/Kconfig.debug
11592 --- linux-2.6.32.43/arch/x86/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
11593 +++ linux-2.6.32.43/arch/x86/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
11594 @@ -99,7 +99,7 @@ config X86_PTDUMP
11595 config DEBUG_RODATA
11596 bool "Write protect kernel read-only data structures"
11598 - depends on DEBUG_KERNEL
11599 + depends on DEBUG_KERNEL && BROKEN
11601 Mark the kernel read-only data as write-protected in the pagetables,
11602 in order to catch accidental (and incorrect) writes to such const
11603 diff -urNp linux-2.6.32.43/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.43/arch/x86/kernel/acpi/realmode/Makefile
11604 --- linux-2.6.32.43/arch/x86/kernel/acpi/realmode/Makefile 2011-03-27 14:31:47.000000000 -0400
11605 +++ linux-2.6.32.43/arch/x86/kernel/acpi/realmode/Makefile 2011-08-05 20:33:55.000000000 -0400
11606 @@ -41,6 +41,7 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
11607 $(call cc-option, -fno-stack-protector) \
11608 $(call cc-option, -mpreferred-stack-boundary=2)
11609 KBUILD_CFLAGS += $(call cc-option, -m32)
11610 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
11611 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
11614 diff -urNp linux-2.6.32.43/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.43/arch/x86/kernel/acpi/realmode/wakeup.S
11615 --- linux-2.6.32.43/arch/x86/kernel/acpi/realmode/wakeup.S 2011-03-27 14:31:47.000000000 -0400
11616 +++ linux-2.6.32.43/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-01 18:53:40.000000000 -0400
11617 @@ -91,6 +91,9 @@ _start:
11618 /* Do any other stuff... */
11620 #ifndef CONFIG_64BIT
11621 + /* Recheck NX bit overrides (64bit path does this in trampoline) */
11624 /* This could also be done in C code... */
11625 movl pmode_cr3, %eax
11627 @@ -104,7 +107,7 @@ _start:
11631 - movl $0xc0000080, %ecx
11632 + mov $MSR_EFER, %ecx
11636 @@ -114,6 +117,7 @@ _start:
11637 movl pmode_cr0, %eax
11640 +# include "../../verify_cpu.S"
11643 pushw trampoline_segment
11644 diff -urNp linux-2.6.32.43/arch/x86/kernel/acpi/sleep.c linux-2.6.32.43/arch/x86/kernel/acpi/sleep.c
11645 --- linux-2.6.32.43/arch/x86/kernel/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
11646 +++ linux-2.6.32.43/arch/x86/kernel/acpi/sleep.c 2011-07-01 19:01:34.000000000 -0400
11647 @@ -11,11 +11,12 @@
11648 #include <linux/cpumask.h>
11649 #include <asm/segment.h>
11650 #include <asm/desc.h>
11651 +#include <asm/e820.h>
11653 #include "realmode/wakeup.h"
11656 -unsigned long acpi_wakeup_address;
11657 +unsigned long acpi_wakeup_address = 0x2000;
11658 unsigned long acpi_realmode_flags;
11660 /* address in low memory of the wakeup routine. */
11661 @@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
11662 #else /* CONFIG_64BIT */
11663 header->trampoline_segment = setup_trampoline() >> 4;
11665 - stack_start.sp = temp_stack + sizeof(temp_stack);
11666 + stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
11668 + pax_open_kernel();
11669 early_gdt_descr.address =
11670 (unsigned long)get_cpu_gdt_table(smp_processor_id());
11671 + pax_close_kernel();
11673 initial_gs = per_cpu_offset(smp_processor_id());
11675 initial_code = (unsigned long)wakeup_long64;
11676 @@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
11680 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
11682 - if (!acpi_realmode) {
11683 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
11687 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
11688 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
11689 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
11693 diff -urNp linux-2.6.32.43/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.43/arch/x86/kernel/acpi/wakeup_32.S
11694 --- linux-2.6.32.43/arch/x86/kernel/acpi/wakeup_32.S 2011-03-27 14:31:47.000000000 -0400
11695 +++ linux-2.6.32.43/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:56:46.000000000 -0400
11696 @@ -30,13 +30,11 @@ wakeup_pmode_return:
11697 # and restore the stack ... but you need gdt for this to work
11698 movl saved_context_esp, %esp
11700 - movl %cs:saved_magic, %eax
11701 - cmpl $0x12345678, %eax
11702 + cmpl $0x12345678, saved_magic
11705 # jump to place where we left off
11706 - movl saved_eip, %eax
11712 diff -urNp linux-2.6.32.43/arch/x86/kernel/alternative.c linux-2.6.32.43/arch/x86/kernel/alternative.c
11713 --- linux-2.6.32.43/arch/x86/kernel/alternative.c 2011-03-27 14:31:47.000000000 -0400
11714 +++ linux-2.6.32.43/arch/x86/kernel/alternative.c 2011-04-17 15:56:46.000000000 -0400
11715 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
11717 BUG_ON(p->len > MAX_PATCH_LEN);
11718 /* prep the buffer with the original instructions */
11719 - memcpy(insnbuf, p->instr, p->len);
11720 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
11721 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
11722 (unsigned long)p->instr, p->len);
11724 @@ -475,7 +475,7 @@ void __init alternative_instructions(voi
11726 free_init_pages("SMP alternatives",
11727 (unsigned long)__smp_locks,
11728 - (unsigned long)__smp_locks_end);
11729 + PAGE_ALIGN((unsigned long)__smp_locks_end));
11733 @@ -492,13 +492,17 @@ void __init alternative_instructions(voi
11734 * instructions. And on the local CPU you need to be protected again NMI or MCE
11735 * handlers seeing an inconsistent instruction while you patch.
11737 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
11738 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
11741 unsigned long flags;
11742 local_irq_save(flags);
11743 - memcpy(addr, opcode, len);
11745 + pax_open_kernel();
11746 + memcpy(ktla_ktva(addr), opcode, len);
11748 + pax_close_kernel();
11750 local_irq_restore(flags);
11751 /* Could also do a CLFLUSH here to speed up CPU recovery; but
11752 that causes hangs on some VIA CPUs. */
11753 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
11755 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
11757 - unsigned long flags;
11759 + unsigned char *vaddr = ktla_ktva(addr);
11760 struct page *pages[2];
11764 if (!core_kernel_text((unsigned long)addr)) {
11765 - pages[0] = vmalloc_to_page(addr);
11766 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
11767 + pages[0] = vmalloc_to_page(vaddr);
11768 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
11770 - pages[0] = virt_to_page(addr);
11771 + pages[0] = virt_to_page(vaddr);
11772 WARN_ON(!PageReserved(pages[0]));
11773 - pages[1] = virt_to_page(addr + PAGE_SIZE);
11774 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
11777 - local_irq_save(flags);
11778 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
11780 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
11781 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
11782 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
11783 - clear_fixmap(FIX_TEXT_POKE0);
11785 - clear_fixmap(FIX_TEXT_POKE1);
11786 - local_flush_tlb();
11788 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
11789 - that causes hangs on some VIA CPUs. */
11790 + text_poke_early(addr, opcode, len);
11791 for (i = 0; i < len; i++)
11792 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
11793 - local_irq_restore(flags);
11794 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
11797 diff -urNp linux-2.6.32.43/arch/x86/kernel/amd_iommu.c linux-2.6.32.43/arch/x86/kernel/amd_iommu.c
11798 --- linux-2.6.32.43/arch/x86/kernel/amd_iommu.c 2011-03-27 14:31:47.000000000 -0400
11799 +++ linux-2.6.32.43/arch/x86/kernel/amd_iommu.c 2011-04-17 15:56:46.000000000 -0400
11800 @@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
11804 -static struct dma_map_ops amd_iommu_dma_ops = {
11805 +static const struct dma_map_ops amd_iommu_dma_ops = {
11806 .alloc_coherent = alloc_coherent,
11807 .free_coherent = free_coherent,
11808 .map_page = map_page,
11809 diff -urNp linux-2.6.32.43/arch/x86/kernel/apic/apic.c linux-2.6.32.43/arch/x86/kernel/apic/apic.c
11810 --- linux-2.6.32.43/arch/x86/kernel/apic/apic.c 2011-03-27 14:31:47.000000000 -0400
11811 +++ linux-2.6.32.43/arch/x86/kernel/apic/apic.c 2011-05-16 21:46:57.000000000 -0400
11812 @@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
11813 apic_write(APIC_ESR, 0);
11814 v1 = apic_read(APIC_ESR);
11816 - atomic_inc(&irq_err_count);
11817 + atomic_inc_unchecked(&irq_err_count);
11820 * Here is what the APIC error bits mean:
11821 @@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
11822 u16 *bios_cpu_apicid;
11823 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
11825 + pax_track_stack();
11827 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
11828 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
11830 diff -urNp linux-2.6.32.43/arch/x86/kernel/apic/io_apic.c linux-2.6.32.43/arch/x86/kernel/apic/io_apic.c
11831 --- linux-2.6.32.43/arch/x86/kernel/apic/io_apic.c 2011-03-27 14:31:47.000000000 -0400
11832 +++ linux-2.6.32.43/arch/x86/kernel/apic/io_apic.c 2011-05-04 17:56:20.000000000 -0400
11833 @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
11834 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
11836 if (!ioapic_entries)
11840 for (apic = 0; apic < nr_ioapics; apic++) {
11841 ioapic_entries[apic] =
11842 @@ -733,7 +733,7 @@ nomem:
11843 kfree(ioapic_entries[apic]);
11844 kfree(ioapic_entries);
11851 @@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
11853 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
11855 -void lock_vector_lock(void)
11856 +void lock_vector_lock(void) __acquires(vector_lock)
11858 /* Used to the online set of cpus does not change
11859 * during assign_irq_vector.
11860 @@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
11861 spin_lock(&vector_lock);
11864 -void unlock_vector_lock(void)
11865 +void unlock_vector_lock(void) __releases(vector_lock)
11867 spin_unlock(&vector_lock);
11869 @@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
11873 -atomic_t irq_mis_count;
11874 +atomic_unchecked_t irq_mis_count;
11876 static void ack_apic_level(unsigned int irq)
11878 @@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
11880 /* Tail end of version 0x11 I/O APIC bug workaround */
11881 if (!(v & (1 << (i & 0x1f)))) {
11882 - atomic_inc(&irq_mis_count);
11883 + atomic_inc_unchecked(&irq_mis_count);
11884 spin_lock(&ioapic_lock);
11885 __mask_and_edge_IO_APIC_irq(cfg);
11886 __unmask_and_level_IO_APIC_irq(cfg);
11887 diff -urNp linux-2.6.32.43/arch/x86/kernel/apm_32.c linux-2.6.32.43/arch/x86/kernel/apm_32.c
11888 --- linux-2.6.32.43/arch/x86/kernel/apm_32.c 2011-03-27 14:31:47.000000000 -0400
11889 +++ linux-2.6.32.43/arch/x86/kernel/apm_32.c 2011-04-23 12:56:10.000000000 -0400
11890 @@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
11891 * This is for buggy BIOS's that refer to (real mode) segment 0x40
11892 * even though they are called in protected mode.
11894 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
11895 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
11896 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
11898 static const char driver_version[] = "1.16ac"; /* no spaces */
11899 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
11901 gdt = get_cpu_gdt_table(cpu);
11902 save_desc_40 = gdt[0x40 / 8];
11904 + pax_open_kernel();
11905 gdt[0x40 / 8] = bad_bios_desc;
11906 + pax_close_kernel();
11908 apm_irq_save(flags);
11910 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
11912 APM_DO_RESTORE_SEGS;
11913 apm_irq_restore(flags);
11915 + pax_open_kernel();
11916 gdt[0x40 / 8] = save_desc_40;
11917 + pax_close_kernel();
11921 return call->eax & 0xff;
11922 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
11924 gdt = get_cpu_gdt_table(cpu);
11925 save_desc_40 = gdt[0x40 / 8];
11927 + pax_open_kernel();
11928 gdt[0x40 / 8] = bad_bios_desc;
11929 + pax_close_kernel();
11931 apm_irq_save(flags);
11933 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
11935 APM_DO_RESTORE_SEGS;
11936 apm_irq_restore(flags);
11938 + pax_open_kernel();
11939 gdt[0x40 / 8] = save_desc_40;
11940 + pax_close_kernel();
11945 @@ -975,7 +989,7 @@ recalc:
11947 static void apm_power_off(void)
11949 - unsigned char po_bios_call[] = {
11950 + const unsigned char po_bios_call[] = {
11951 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
11952 0x8e, 0xd0, /* movw ax,ss */
11953 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
11954 @@ -2357,12 +2371,15 @@ static int __init apm_init(void)
11955 * code to that CPU.
11957 gdt = get_cpu_gdt_table(0);
11959 + pax_open_kernel();
11960 set_desc_base(&gdt[APM_CS >> 3],
11961 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
11962 set_desc_base(&gdt[APM_CS_16 >> 3],
11963 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
11964 set_desc_base(&gdt[APM_DS >> 3],
11965 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
11966 + pax_close_kernel();
11968 proc_create("apm", 0, NULL, &apm_file_ops);
11970 diff -urNp linux-2.6.32.43/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.43/arch/x86/kernel/asm-offsets_32.c
11971 --- linux-2.6.32.43/arch/x86/kernel/asm-offsets_32.c 2011-03-27 14:31:47.000000000 -0400
11972 +++ linux-2.6.32.43/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:46:57.000000000 -0400
11973 @@ -51,7 +51,6 @@ void foo(void)
11974 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
11977 - OFFSET(TI_task, thread_info, task);
11978 OFFSET(TI_exec_domain, thread_info, exec_domain);
11979 OFFSET(TI_flags, thread_info, flags);
11980 OFFSET(TI_status, thread_info, status);
11981 @@ -60,6 +59,8 @@ void foo(void)
11982 OFFSET(TI_restart_block, thread_info, restart_block);
11983 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
11984 OFFSET(TI_cpu, thread_info, cpu);
11985 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
11986 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11989 OFFSET(GDS_size, desc_ptr, size);
11990 @@ -99,6 +100,7 @@ void foo(void)
11992 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
11993 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
11994 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
11995 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
11996 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
11997 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
11998 @@ -115,6 +117,11 @@ void foo(void)
11999 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
12000 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12001 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12003 +#ifdef CONFIG_PAX_KERNEXEC
12004 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12010 diff -urNp linux-2.6.32.43/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.43/arch/x86/kernel/asm-offsets_64.c
12011 --- linux-2.6.32.43/arch/x86/kernel/asm-offsets_64.c 2011-03-27 14:31:47.000000000 -0400
12012 +++ linux-2.6.32.43/arch/x86/kernel/asm-offsets_64.c 2011-05-16 21:46:57.000000000 -0400
12013 @@ -44,6 +44,8 @@ int main(void)
12015 ENTRY(preempt_count);
12017 + ENTRY(lowest_stack);
12018 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12019 #ifdef CONFIG_IA32_EMULATION
12020 ENTRY(sysenter_return);
12022 @@ -63,6 +65,18 @@ int main(void)
12023 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12024 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
12025 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12027 +#ifdef CONFIG_PAX_KERNEXEC
12028 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12029 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12032 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12033 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12034 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12035 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
12041 @@ -115,6 +129,7 @@ int main(void)
12045 + DEFINE(TSS_size, sizeof(struct tss_struct));
12046 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
12048 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
12049 @@ -130,6 +145,7 @@ int main(void)
12052 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12053 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12056 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12057 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/amd.c linux-2.6.32.43/arch/x86/kernel/cpu/amd.c
12058 --- linux-2.6.32.43/arch/x86/kernel/cpu/amd.c 2011-06-25 12:55:34.000000000 -0400
12059 +++ linux-2.6.32.43/arch/x86/kernel/cpu/amd.c 2011-06-25 12:56:37.000000000 -0400
12060 @@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
12063 /* AMD errata T13 (order #21922) */
12064 - if ((c->x86 == 6)) {
12065 + if (c->x86 == 6) {
12067 if (c->x86_model == 3 && c->x86_mask == 0)
12069 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/common.c linux-2.6.32.43/arch/x86/kernel/cpu/common.c
12070 --- linux-2.6.32.43/arch/x86/kernel/cpu/common.c 2011-03-27 14:31:47.000000000 -0400
12071 +++ linux-2.6.32.43/arch/x86/kernel/cpu/common.c 2011-05-11 18:25:15.000000000 -0400
12072 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12074 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12076 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12077 -#ifdef CONFIG_X86_64
12079 - * We need valid kernel segments for data and code in long mode too
12080 - * IRET will check the segment types kkeil 2000/10/28
12081 - * Also sysret mandates a special GDT layout
12083 - * TLS descriptors are currently at a different place compared to i386.
12084 - * Hopefully nobody expects them at a fixed place (Wine?)
12086 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12087 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12088 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12089 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12090 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12091 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12093 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12094 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12095 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12096 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12098 - * Segments used for calling PnP BIOS have byte granularity.
12099 - * They code segments and data segments have fixed 64k limits,
12100 - * the transfer segment sizes are set at run time.
12102 - /* 32-bit code */
12103 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12104 - /* 16-bit code */
12105 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12106 - /* 16-bit data */
12107 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12108 - /* 16-bit data */
12109 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12110 - /* 16-bit data */
12111 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12113 - * The APM segments have byte granularity and their bases
12114 - * are set at run time. All have 64k limits.
12116 - /* 32-bit code */
12117 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12118 - /* 16-bit code */
12119 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12121 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
12123 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12124 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12125 - GDT_STACK_CANARY_INIT
12128 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
12130 static int __init x86_xsave_setup(char *s)
12132 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
12133 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
12135 struct desc_ptr gdt_descr;
12137 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
12138 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12139 gdt_descr.size = GDT_SIZE - 1;
12140 load_gdt(&gdt_descr);
12141 /* Reload the per-cpu base */
12142 @@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
12143 /* Filter out anything that depends on CPUID levels we don't have */
12144 filter_cpuid_features(c, true);
12146 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
12147 + setup_clear_cpu_cap(X86_FEATURE_SEP);
12150 /* If the model name is still unset, do table lookup. */
12151 if (!c->x86_model_id[0]) {
12153 @@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
12155 __setup("clearcpuid=", setup_disablecpuid);
12157 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
12158 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
12160 #ifdef CONFIG_X86_64
12161 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
12163 @@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
12164 EXPORT_PER_CPU_SYMBOL(current_task);
12166 DEFINE_PER_CPU(unsigned long, kernel_stack) =
12167 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
12168 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
12169 EXPORT_PER_CPU_SYMBOL(kernel_stack);
12171 DEFINE_PER_CPU(char *, irq_stack_ptr) =
12172 @@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
12174 memset(regs, 0, sizeof(struct pt_regs));
12175 regs->fs = __KERNEL_PERCPU;
12176 - regs->gs = __KERNEL_STACK_CANARY;
12177 + savesegment(gs, regs->gs);
12181 @@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
12184 cpu = stack_smp_processor_id();
12185 - t = &per_cpu(init_tss, cpu);
12186 + t = init_tss + cpu;
12187 orig_ist = &per_cpu(orig_ist, cpu);
12190 @@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
12191 switch_to_new_gdt(cpu);
12192 loadsegment(fs, 0);
12194 - load_idt((const struct desc_ptr *)&idt_descr);
12195 + load_idt(&idt_descr);
12197 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
12199 @@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
12200 wrmsrl(MSR_KERNEL_GS_BASE, 0);
12207 @@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
12209 int cpu = smp_processor_id();
12210 struct task_struct *curr = current;
12211 - struct tss_struct *t = &per_cpu(init_tss, cpu);
12212 + struct tss_struct *t = init_tss + cpu;
12213 struct thread_struct *thread = &curr->thread;
12215 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
12216 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/intel.c linux-2.6.32.43/arch/x86/kernel/cpu/intel.c
12217 --- linux-2.6.32.43/arch/x86/kernel/cpu/intel.c 2011-03-27 14:31:47.000000000 -0400
12218 +++ linux-2.6.32.43/arch/x86/kernel/cpu/intel.c 2011-04-17 15:56:46.000000000 -0400
12219 @@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
12220 * Update the IDT descriptor and reload the IDT so that
12221 * it uses the read-only mapped virtual address.
12223 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
12224 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
12225 load_idt(&idt_descr);
12228 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.43/arch/x86/kernel/cpu/intel_cacheinfo.c
12229 --- linux-2.6.32.43/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
12230 +++ linux-2.6.32.43/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-04-17 15:56:46.000000000 -0400
12231 @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
12235 -static struct sysfs_ops sysfs_ops = {
12236 +static const struct sysfs_ops sysfs_ops = {
12240 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/Makefile linux-2.6.32.43/arch/x86/kernel/cpu/Makefile
12241 --- linux-2.6.32.43/arch/x86/kernel/cpu/Makefile 2011-03-27 14:31:47.000000000 -0400
12242 +++ linux-2.6.32.43/arch/x86/kernel/cpu/Makefile 2011-04-17 15:56:46.000000000 -0400
12243 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
12244 CFLAGS_REMOVE_common.o = -pg
12247 -# Make sure load_percpu_segment has no stackprotector
12248 -nostackp := $(call cc-option, -fno-stack-protector)
12249 -CFLAGS_common.o := $(nostackp)
12251 obj-y := intel_cacheinfo.o addon_cpuid_features.o
12252 obj-y += proc.o capflags.o powerflags.o common.o
12253 obj-y += vmware.o hypervisor.o sched.o
12254 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce_amd.c
12255 --- linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:56:59.000000000 -0400
12256 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:57:13.000000000 -0400
12257 @@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
12261 -static struct sysfs_ops threshold_ops = {
12262 +static const struct sysfs_ops threshold_ops = {
12266 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce.c
12267 --- linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-27 14:31:47.000000000 -0400
12268 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-04 17:56:20.000000000 -0400
12270 #include <asm/ipi.h>
12271 #include <asm/mce.h>
12272 #include <asm/msr.h>
12273 +#include <asm/local.h>
12275 #include "mce-internal.h"
12277 @@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
12278 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
12281 - if (m->cs == __KERNEL_CS)
12282 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
12283 print_symbol("{%s}", m->ip);
12286 @@ -221,10 +222,10 @@ static void print_mce_tail(void)
12288 #define PANIC_TIMEOUT 5 /* 5 seconds */
12290 -static atomic_t mce_paniced;
12291 +static atomic_unchecked_t mce_paniced;
12293 static int fake_panic;
12294 -static atomic_t mce_fake_paniced;
12295 +static atomic_unchecked_t mce_fake_paniced;
12297 /* Panic in progress. Enable interrupts and wait for final IPI */
12298 static void wait_for_panic(void)
12299 @@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
12301 * Make sure only one CPU runs in machine check panic
12303 - if (atomic_inc_return(&mce_paniced) > 1)
12304 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
12308 @@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
12311 /* Don't log too much for fake panic */
12312 - if (atomic_inc_return(&mce_fake_paniced) > 1)
12313 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
12317 @@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
12318 * might have been modified by someone else.
12321 - if (atomic_read(&mce_paniced))
12322 + if (atomic_read_unchecked(&mce_paniced))
12324 if (!monarch_timeout)
12326 @@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
12329 static DEFINE_SPINLOCK(mce_state_lock);
12330 -static int open_count; /* #times opened */
12331 +static local_t open_count; /* #times opened */
12332 static int open_exclu; /* already open exclusive? */
12334 static int mce_open(struct inode *inode, struct file *file)
12336 spin_lock(&mce_state_lock);
12338 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
12339 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
12340 spin_unlock(&mce_state_lock);
12343 @@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
12345 if (file->f_flags & O_EXCL)
12348 + local_inc(&open_count);
12350 spin_unlock(&mce_state_lock);
12352 @@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
12354 spin_lock(&mce_state_lock);
12357 + local_dec(&open_count);
12360 spin_unlock(&mce_state_lock);
12361 @@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
12362 static void mce_reset(void)
12365 - atomic_set(&mce_fake_paniced, 0);
12366 + atomic_set_unchecked(&mce_fake_paniced, 0);
12367 atomic_set(&mce_executing, 0);
12368 atomic_set(&mce_callin, 0);
12369 atomic_set(&global_nwo, 0);
12370 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce-inject.c
12371 --- linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-03-27 14:31:47.000000000 -0400
12372 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-08-05 20:33:55.000000000 -0400
12373 @@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
12374 static int inject_init(void)
12376 printk(KERN_INFO "Machine check injector initialized\n");
12377 - mce_chrdev_ops.write = mce_write;
12378 + pax_open_kernel();
12379 + *(void **)&mce_chrdev_ops.write = mce_write;
12380 + pax_close_kernel();
12381 register_die_notifier(&mce_raise_nb);
12384 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/amd.c
12385 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/amd.c 2011-03-27 14:31:47.000000000 -0400
12386 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/amd.c 2011-04-17 15:56:46.000000000 -0400
12387 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
12391 -static struct mtrr_ops amd_mtrr_ops = {
12392 +static const struct mtrr_ops amd_mtrr_ops = {
12393 .vendor = X86_VENDOR_AMD,
12394 .set = amd_set_mtrr,
12395 .get = amd_get_mtrr,
12396 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/centaur.c
12397 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/centaur.c 2011-03-27 14:31:47.000000000 -0400
12398 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/centaur.c 2011-04-17 15:56:46.000000000 -0400
12399 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
12403 -static struct mtrr_ops centaur_mtrr_ops = {
12404 +static const struct mtrr_ops centaur_mtrr_ops = {
12405 .vendor = X86_VENDOR_CENTAUR,
12406 .set = centaur_set_mcr,
12407 .get = centaur_get_mcr,
12408 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/cyrix.c
12409 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-03-27 14:31:47.000000000 -0400
12410 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-04-17 15:56:46.000000000 -0400
12411 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
12415 -static struct mtrr_ops cyrix_mtrr_ops = {
12416 +static const struct mtrr_ops cyrix_mtrr_ops = {
12417 .vendor = X86_VENDOR_CYRIX,
12418 .set_all = cyrix_set_all,
12419 .set = cyrix_set_arr,
12420 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/generic.c
12421 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-27 14:31:47.000000000 -0400
12422 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-23 12:56:10.000000000 -0400
12423 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
12425 * Generic structure...
12427 -struct mtrr_ops generic_mtrr_ops = {
12428 +const struct mtrr_ops generic_mtrr_ops = {
12430 .set_all = generic_set_all,
12431 .get = generic_get_mtrr,
12432 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/main.c
12433 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:00:52.000000000 -0400
12434 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:03:05.000000000 -0400
12435 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
12436 u64 size_or_mask, size_and_mask;
12437 static bool mtrr_aps_delayed_init;
12439 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
12440 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
12442 -struct mtrr_ops *mtrr_if;
12443 +const struct mtrr_ops *mtrr_if;
12445 static void set_mtrr(unsigned int reg, unsigned long base,
12446 unsigned long size, mtrr_type type);
12448 -void set_mtrr_ops(struct mtrr_ops *ops)
12449 +void set_mtrr_ops(const struct mtrr_ops *ops)
12451 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12452 mtrr_ops[ops->vendor] = ops;
12453 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/mtrr.h
12454 --- linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-27 14:31:47.000000000 -0400
12455 +++ linux-2.6.32.43/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-04-17 15:56:46.000000000 -0400
12456 @@ -12,19 +12,19 @@
12457 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
12461 - u32 use_intel_if;
12462 - void (*set)(unsigned int reg, unsigned long base,
12463 + const u32 vendor;
12464 + const u32 use_intel_if;
12465 + void (* const set)(unsigned int reg, unsigned long base,
12466 unsigned long size, mtrr_type type);
12467 - void (*set_all)(void);
12468 + void (* const set_all)(void);
12470 - void (*get)(unsigned int reg, unsigned long *base,
12471 + void (* const get)(unsigned int reg, unsigned long *base,
12472 unsigned long *size, mtrr_type *type);
12473 - int (*get_free_region)(unsigned long base, unsigned long size,
12474 + int (* const get_free_region)(unsigned long base, unsigned long size,
12476 - int (*validate_add_page)(unsigned long base, unsigned long size,
12477 + int (* const validate_add_page)(unsigned long base, unsigned long size,
12478 unsigned int type);
12479 - int (*have_wrcomb)(void);
12480 + int (* const have_wrcomb)(void);
12483 extern int generic_get_free_region(unsigned long base, unsigned long size,
12484 @@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
12485 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12486 unsigned int type);
12488 -extern struct mtrr_ops generic_mtrr_ops;
12489 +extern const struct mtrr_ops generic_mtrr_ops;
12491 extern int positive_have_wrcomb(void);
12493 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12494 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12495 void get_mtrr_state(void);
12497 -extern void set_mtrr_ops(struct mtrr_ops *ops);
12498 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
12500 extern u64 size_or_mask, size_and_mask;
12501 -extern struct mtrr_ops *mtrr_if;
12502 +extern const struct mtrr_ops *mtrr_if;
12504 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12505 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12506 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.43/arch/x86/kernel/cpu/perfctr-watchdog.c
12507 --- linux-2.6.32.43/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-03-27 14:31:47.000000000 -0400
12508 +++ linux-2.6.32.43/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-04-17 15:56:46.000000000 -0400
12509 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12511 /* Interface defining a CPU specific perfctr watchdog */
12513 - int (*reserve)(void);
12514 - void (*unreserve)(void);
12515 - int (*setup)(unsigned nmi_hz);
12516 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12517 - void (*stop)(void);
12518 + int (* const reserve)(void);
12519 + void (* const unreserve)(void);
12520 + int (* const setup)(unsigned nmi_hz);
12521 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12522 + void (* const stop)(void);
12526 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
12527 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
12528 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
12530 +/* cannot be const */
12531 static struct wd_ops intel_arch_wd_ops;
12533 static int setup_intel_arch_watchdog(unsigned nmi_hz)
12534 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
12538 +/* cannot be const */
12539 static struct wd_ops intel_arch_wd_ops __read_mostly = {
12540 .reserve = single_msr_reserve,
12541 .unreserve = single_msr_unreserve,
12542 diff -urNp linux-2.6.32.43/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.43/arch/x86/kernel/cpu/perf_event.c
12543 --- linux-2.6.32.43/arch/x86/kernel/cpu/perf_event.c 2011-03-27 14:31:47.000000000 -0400
12544 +++ linux-2.6.32.43/arch/x86/kernel/cpu/perf_event.c 2011-05-04 17:56:20.000000000 -0400
12545 @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
12546 * count to the generic event atomically:
12549 - prev_raw_count = atomic64_read(&hwc->prev_count);
12550 + prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
12551 rdmsrl(hwc->event_base + idx, new_raw_count);
12553 - if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
12554 + if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
12555 new_raw_count) != prev_raw_count)
12558 @@ -741,7 +741,7 @@ again:
12559 delta = (new_raw_count << shift) - (prev_raw_count << shift);
12562 - atomic64_add(delta, &event->count);
12563 + atomic64_add_unchecked(delta, &event->count);
12564 atomic64_sub(delta, &hwc->period_left);
12566 return new_raw_count;
12567 @@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
12568 * The hw event starts counting from this event offset,
12569 * mark it to be able to extra future deltas:
12571 - atomic64_set(&hwc->prev_count, (u64)-left);
12572 + atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
12574 err = checking_wrmsrl(hwc->event_base + idx,
12575 (u64)(-left) & x86_pmu.event_mask);
12576 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
12579 callchain_store(entry, frame.return_address);
12580 - fp = frame.next_frame;
12581 + fp = (__force const void __user *)frame.next_frame;
12585 diff -urNp linux-2.6.32.43/arch/x86/kernel/crash.c linux-2.6.32.43/arch/x86/kernel/crash.c
12586 --- linux-2.6.32.43/arch/x86/kernel/crash.c 2011-03-27 14:31:47.000000000 -0400
12587 +++ linux-2.6.32.43/arch/x86/kernel/crash.c 2011-04-17 15:56:46.000000000 -0400
12588 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
12591 #ifdef CONFIG_X86_32
12592 - if (!user_mode_vm(regs)) {
12593 + if (!user_mode(regs)) {
12594 crash_fixup_ss_esp(&fixed_regs, regs);
12595 regs = &fixed_regs;
12597 diff -urNp linux-2.6.32.43/arch/x86/kernel/doublefault_32.c linux-2.6.32.43/arch/x86/kernel/doublefault_32.c
12598 --- linux-2.6.32.43/arch/x86/kernel/doublefault_32.c 2011-03-27 14:31:47.000000000 -0400
12599 +++ linux-2.6.32.43/arch/x86/kernel/doublefault_32.c 2011-04-17 15:56:46.000000000 -0400
12602 #define DOUBLEFAULT_STACKSIZE (1024)
12603 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
12604 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
12605 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
12607 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
12609 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
12610 unsigned long gdt, tss;
12612 store_gdt(&gdt_desc);
12613 - gdt = gdt_desc.address;
12614 + gdt = (unsigned long)gdt_desc.address;
12616 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
12618 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
12619 /* 0x2 bit is always set */
12620 .flags = X86_EFLAGS_SF | 0x2,
12623 + .es = __KERNEL_DS,
12627 + .ds = __KERNEL_DS,
12628 .fs = __KERNEL_PERCPU,
12630 .__cr3 = __pa_nodebug(swapper_pg_dir),
12631 diff -urNp linux-2.6.32.43/arch/x86/kernel/dumpstack_32.c linux-2.6.32.43/arch/x86/kernel/dumpstack_32.c
12632 --- linux-2.6.32.43/arch/x86/kernel/dumpstack_32.c 2011-03-27 14:31:47.000000000 -0400
12633 +++ linux-2.6.32.43/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:56:46.000000000 -0400
12634 @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
12638 - struct thread_info *context;
12639 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12640 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12642 - context = (struct thread_info *)
12643 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
12644 - bp = print_context_stack(context, stack, bp, ops,
12645 - data, NULL, &graph);
12647 - stack = (unsigned long *)context->previous_esp;
12649 + if (stack_start == task_stack_page(task))
12651 + stack = *(unsigned long **)stack_start;
12652 if (ops->stack(data, "IRQ") < 0)
12654 touch_nmi_watchdog();
12655 @@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
12656 * When in-kernel, we also print out the stack and code at the
12657 * time of the fault..
12659 - if (!user_mode_vm(regs)) {
12660 + if (!user_mode(regs)) {
12661 unsigned int code_prologue = code_bytes * 43 / 64;
12662 unsigned int code_len = code_bytes;
12665 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
12667 printk(KERN_EMERG "Stack:\n");
12668 show_stack_log_lvl(NULL, regs, ®s->sp,
12669 @@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
12671 printk(KERN_EMERG "Code: ");
12673 - ip = (u8 *)regs->ip - code_prologue;
12674 + ip = (u8 *)regs->ip - code_prologue + cs_base;
12675 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
12676 /* try starting at IP */
12677 - ip = (u8 *)regs->ip;
12678 + ip = (u8 *)regs->ip + cs_base;
12679 code_len = code_len - code_prologue + 1;
12681 for (i = 0; i < code_len; i++, ip++) {
12682 @@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
12683 printk(" Bad EIP value.");
12686 - if (ip == (u8 *)regs->ip)
12687 + if (ip == (u8 *)regs->ip + cs_base)
12688 printk("<%02x> ", c);
12690 printk("%02x ", c);
12691 @@ -149,6 +146,7 @@ int is_valid_bugaddr(unsigned long ip)
12693 unsigned short ud2;
12695 + ip = ktla_ktva(ip);
12696 if (ip < PAGE_OFFSET)
12698 if (probe_kernel_address((unsigned short *)ip, ud2))
12699 diff -urNp linux-2.6.32.43/arch/x86/kernel/dumpstack_64.c linux-2.6.32.43/arch/x86/kernel/dumpstack_64.c
12700 --- linux-2.6.32.43/arch/x86/kernel/dumpstack_64.c 2011-03-27 14:31:47.000000000 -0400
12701 +++ linux-2.6.32.43/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:56:46.000000000 -0400
12702 @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
12703 unsigned long *irq_stack_end =
12704 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
12706 - struct thread_info *tinfo;
12708 + void *stack_start;
12712 @@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
12713 * current stack address. If the stacks consist of nested
12716 - tinfo = task_thread_info(task);
12719 unsigned long *estack_end;
12721 estack_end = in_exception_stack(cpu, (unsigned long)stack,
12724 @@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
12725 if (ops->stack(data, id) < 0)
12728 - bp = print_context_stack(tinfo, stack, bp, ops,
12729 + bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
12730 data, estack_end, &graph);
12731 ops->stack(data, "<EOE>");
12733 @@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
12734 if (stack >= irq_stack && stack < irq_stack_end) {
12735 if (ops->stack(data, "IRQ") < 0)
12737 - bp = print_context_stack(tinfo, stack, bp,
12738 + bp = print_context_stack(task, irq_stack, stack, bp,
12739 ops, data, irq_stack_end, &graph);
12741 * We link to the next stack (which would be
12742 @@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
12744 * This handles the process stack:
12746 - bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
12747 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12748 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12751 EXPORT_SYMBOL(dump_trace);
12752 diff -urNp linux-2.6.32.43/arch/x86/kernel/dumpstack.c linux-2.6.32.43/arch/x86/kernel/dumpstack.c
12753 --- linux-2.6.32.43/arch/x86/kernel/dumpstack.c 2011-03-27 14:31:47.000000000 -0400
12754 +++ linux-2.6.32.43/arch/x86/kernel/dumpstack.c 2011-04-17 15:56:46.000000000 -0400
12756 * Copyright (C) 1991, 1992 Linus Torvalds
12757 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
12759 +#ifdef CONFIG_GRKERNSEC_HIDESYM
12760 +#define __INCLUDED_BY_HIDESYM 1
12762 #include <linux/kallsyms.h>
12763 #include <linux/kprobes.h>
12764 #include <linux/uaccess.h>
12765 @@ -28,7 +31,7 @@ static int die_counter;
12767 void printk_address(unsigned long address, int reliable)
12769 - printk(" [<%p>] %s%pS\n", (void *) address,
12770 + printk(" [<%p>] %s%pA\n", (void *) address,
12771 reliable ? "" : "? ", (void *) address);
12774 @@ -36,9 +39,8 @@ void printk_address(unsigned long addres
12776 print_ftrace_graph_addr(unsigned long addr, void *data,
12777 const struct stacktrace_ops *ops,
12778 - struct thread_info *tinfo, int *graph)
12779 + struct task_struct *task, int *graph)
12781 - struct task_struct *task = tinfo->task;
12782 unsigned long ret_addr;
12783 int index = task->curr_ret_stack;
12785 @@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
12787 print_ftrace_graph_addr(unsigned long addr, void *data,
12788 const struct stacktrace_ops *ops,
12789 - struct thread_info *tinfo, int *graph)
12790 + struct task_struct *task, int *graph)
12794 @@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
12795 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
12798 -static inline int valid_stack_ptr(struct thread_info *tinfo,
12799 - void *p, unsigned int size, void *end)
12800 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
12804 if (p < end && p >= (end-THREAD_SIZE))
12806 @@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
12810 -print_context_stack(struct thread_info *tinfo,
12811 +print_context_stack(struct task_struct *task, void *stack_start,
12812 unsigned long *stack, unsigned long bp,
12813 const struct stacktrace_ops *ops, void *data,
12814 unsigned long *end, int *graph)
12816 struct stack_frame *frame = (struct stack_frame *)bp;
12818 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
12819 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
12820 unsigned long addr;
12823 @@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
12825 ops->address(data, addr, 0);
12827 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
12828 + print_ftrace_graph_addr(addr, data, ops, task, graph);
12832 @@ -180,7 +180,7 @@ void dump_stack(void)
12835 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
12836 - current->pid, current->comm, print_tainted(),
12837 + task_pid_nr(current), current->comm, print_tainted(),
12838 init_utsname()->release,
12839 (int)strcspn(init_utsname()->version, " "),
12840 init_utsname()->version);
12841 @@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
12845 +extern void gr_handle_kernel_exploit(void);
12847 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
12849 if (regs && kexec_should_crash(current))
12850 @@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
12851 panic("Fatal exception in interrupt");
12853 panic("Fatal exception");
12856 + gr_handle_kernel_exploit();
12858 + do_group_exit(signr);
12861 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
12862 @@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
12863 unsigned long flags = oops_begin();
12866 - if (!user_mode_vm(regs))
12867 + if (!user_mode(regs))
12868 report_bug(regs->ip, regs);
12870 if (__die(str, regs, err))
12871 diff -urNp linux-2.6.32.43/arch/x86/kernel/dumpstack.h linux-2.6.32.43/arch/x86/kernel/dumpstack.h
12872 --- linux-2.6.32.43/arch/x86/kernel/dumpstack.h 2011-03-27 14:31:47.000000000 -0400
12873 +++ linux-2.6.32.43/arch/x86/kernel/dumpstack.h 2011-04-23 13:25:26.000000000 -0400
12877 extern unsigned long
12878 -print_context_stack(struct thread_info *tinfo,
12879 +print_context_stack(struct task_struct *task, void *stack_start,
12880 unsigned long *stack, unsigned long bp,
12881 const struct stacktrace_ops *ops, void *data,
12882 unsigned long *end, int *graph);
12883 diff -urNp linux-2.6.32.43/arch/x86/kernel/e820.c linux-2.6.32.43/arch/x86/kernel/e820.c
12884 --- linux-2.6.32.43/arch/x86/kernel/e820.c 2011-03-27 14:31:47.000000000 -0400
12885 +++ linux-2.6.32.43/arch/x86/kernel/e820.c 2011-04-17 15:56:46.000000000 -0400
12886 @@ -733,7 +733,7 @@ struct early_res {
12888 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
12889 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
12894 static int __init find_overlapped_early(u64 start, u64 end)
12895 diff -urNp linux-2.6.32.43/arch/x86/kernel/early_printk.c linux-2.6.32.43/arch/x86/kernel/early_printk.c
12896 --- linux-2.6.32.43/arch/x86/kernel/early_printk.c 2011-03-27 14:31:47.000000000 -0400
12897 +++ linux-2.6.32.43/arch/x86/kernel/early_printk.c 2011-05-16 21:46:57.000000000 -0400
12899 #include <linux/pci_regs.h>
12900 #include <linux/pci_ids.h>
12901 #include <linux/errno.h>
12902 +#include <linux/sched.h>
12903 #include <asm/io.h>
12904 #include <asm/processor.h>
12905 #include <asm/fcntl.h>
12906 @@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
12910 + pax_track_stack();
12913 n = vscnprintf(buf, sizeof(buf), fmt, ap);
12914 early_console->write(early_console, buf, n);
12915 diff -urNp linux-2.6.32.43/arch/x86/kernel/efi_32.c linux-2.6.32.43/arch/x86/kernel/efi_32.c
12916 --- linux-2.6.32.43/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400
12917 +++ linux-2.6.32.43/arch/x86/kernel/efi_32.c 2011-04-17 15:56:46.000000000 -0400
12918 @@ -38,70 +38,38 @@
12921 static unsigned long efi_rt_eflags;
12922 -static pgd_t efi_bak_pg_dir_pointer[2];
12923 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
12925 -void efi_call_phys_prelog(void)
12926 +void __init efi_call_phys_prelog(void)
12928 - unsigned long cr4;
12929 - unsigned long temp;
12930 struct desc_ptr gdt_descr;
12932 local_irq_save(efi_rt_eflags);
12935 - * If I don't have PAE, I should just duplicate two entries in page
12936 - * directory. If I have PAE, I just need to duplicate one entry in
12937 - * page directory.
12939 - cr4 = read_cr4_safe();
12941 - if (cr4 & X86_CR4_PAE) {
12942 - efi_bak_pg_dir_pointer[0].pgd =
12943 - swapper_pg_dir[pgd_index(0)].pgd;
12944 - swapper_pg_dir[0].pgd =
12945 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
12947 - efi_bak_pg_dir_pointer[0].pgd =
12948 - swapper_pg_dir[pgd_index(0)].pgd;
12949 - efi_bak_pg_dir_pointer[1].pgd =
12950 - swapper_pg_dir[pgd_index(0x400000)].pgd;
12951 - swapper_pg_dir[pgd_index(0)].pgd =
12952 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
12953 - temp = PAGE_OFFSET + 0x400000;
12954 - swapper_pg_dir[pgd_index(0x400000)].pgd =
12955 - swapper_pg_dir[pgd_index(temp)].pgd;
12957 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
12958 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12959 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12962 * After the lock is released, the original page table is restored.
12966 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
12967 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
12968 gdt_descr.size = GDT_SIZE - 1;
12969 load_gdt(&gdt_descr);
12972 -void efi_call_phys_epilog(void)
12973 +void __init efi_call_phys_epilog(void)
12975 - unsigned long cr4;
12976 struct desc_ptr gdt_descr;
12978 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
12979 + gdt_descr.address = get_cpu_gdt_table(0);
12980 gdt_descr.size = GDT_SIZE - 1;
12981 load_gdt(&gdt_descr);
12983 - cr4 = read_cr4_safe();
12985 - if (cr4 & X86_CR4_PAE) {
12986 - swapper_pg_dir[pgd_index(0)].pgd =
12987 - efi_bak_pg_dir_pointer[0].pgd;
12989 - swapper_pg_dir[pgd_index(0)].pgd =
12990 - efi_bak_pg_dir_pointer[0].pgd;
12991 - swapper_pg_dir[pgd_index(0x400000)].pgd =
12992 - efi_bak_pg_dir_pointer[1].pgd;
12994 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
12997 * After the lock is released, the original page table is restored.
12998 diff -urNp linux-2.6.32.43/arch/x86/kernel/efi_stub_32.S linux-2.6.32.43/arch/x86/kernel/efi_stub_32.S
12999 --- linux-2.6.32.43/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400
13000 +++ linux-2.6.32.43/arch/x86/kernel/efi_stub_32.S 2011-04-17 15:56:46.000000000 -0400
13004 #include <linux/linkage.h>
13005 +#include <linux/init.h>
13006 #include <asm/page_types.h>
13010 * service functions will comply with gcc calling convention, too.
13015 ENTRY(efi_call_phys)
13017 * 0. The function can only be called in Linux kernel. So CS has been
13018 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
13019 * The mapping of lower virtual memory has been created in prelog and
13023 - subl $__PAGE_OFFSET, %edx
13025 + jmp 1f-__PAGE_OFFSET
13029 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
13030 * parameter 2, ..., param n. To make things easy, we save the return
13031 * address of efi_call_phys in a global variable.
13034 - movl %edx, saved_return_addr
13035 - /* get the function pointer into ECX*/
13037 - movl %ecx, efi_rt_function_ptr
13039 - subl $__PAGE_OFFSET, %edx
13041 + popl (saved_return_addr)
13042 + popl (efi_rt_function_ptr)
13045 * 3. Clear PG bit in %CR0.
13046 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
13048 * 5. Call the physical function.
13051 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
13055 * 6. After EFI runtime service returns, control will return to
13056 * following instruction. We'd better readjust stack pointer first.
13057 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
13059 orl $0x80000000, %edx
13065 * 8. Now restore the virtual mode from flat mode by
13066 * adding EIP with PAGE_OFFSET.
13070 + jmp 1f+__PAGE_OFFSET
13074 * 9. Balance the stack. And because EAX contain the return value,
13075 * we'd better not clobber it.
13077 - leal efi_rt_function_ptr, %edx
13078 - movl (%edx), %ecx
13080 + pushl (efi_rt_function_ptr)
13083 - * 10. Push the saved return address onto the stack and return.
13084 + * 10. Return to the saved return address.
13086 - leal saved_return_addr, %edx
13087 - movl (%edx), %ecx
13090 + jmpl *(saved_return_addr)
13091 ENDPROC(efi_call_phys)
13098 efi_rt_function_ptr:
13099 diff -urNp linux-2.6.32.43/arch/x86/kernel/entry_32.S linux-2.6.32.43/arch/x86/kernel/entry_32.S
13100 --- linux-2.6.32.43/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400
13101 +++ linux-2.6.32.43/arch/x86/kernel/entry_32.S 2011-05-22 23:02:03.000000000 -0400
13102 @@ -185,13 +185,146 @@
13103 /*CFI_REL_OFFSET gs, PT_GS*/
13105 .macro SET_KERNEL_GS reg
13107 +#ifdef CONFIG_CC_STACKPROTECTOR
13108 movl $(__KERNEL_STACK_CANARY), \reg
13109 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13110 + movl $(__USER_DS), \reg
13118 #endif /* CONFIG_X86_32_LAZY_GS */
13121 +.macro pax_enter_kernel
13122 +#ifdef CONFIG_PAX_KERNEXEC
13123 + call pax_enter_kernel
13127 +.macro pax_exit_kernel
13128 +#ifdef CONFIG_PAX_KERNEXEC
13129 + call pax_exit_kernel
13133 +#ifdef CONFIG_PAX_KERNEXEC
13134 +ENTRY(pax_enter_kernel)
13135 +#ifdef CONFIG_PARAVIRT
13138 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13146 + cmp $__KERNEL_CS, %esi
13148 + ljmp $__KERNEL_CS, $3f
13149 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13151 +#ifdef CONFIG_PARAVIRT
13153 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13158 +#ifdef CONFIG_PARAVIRT
13163 +ENDPROC(pax_enter_kernel)
13165 +ENTRY(pax_exit_kernel)
13166 +#ifdef CONFIG_PARAVIRT
13171 + cmp $__KERNEXEC_KERNEL_CS, %esi
13173 +#ifdef CONFIG_PARAVIRT
13174 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13180 + ljmp $__KERNEL_CS, $1f
13182 +#ifdef CONFIG_PARAVIRT
13184 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13189 +#ifdef CONFIG_PARAVIRT
13194 +ENDPROC(pax_exit_kernel)
13197 +.macro pax_erase_kstack
13198 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13199 + call pax_erase_kstack
13203 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13205 + * ebp: thread_info
13206 + * ecx, edx: can be clobbered
13208 +ENTRY(pax_erase_kstack)
13212 + mov TI_lowest_stack(%ebp), %edi
13213 + mov $-0xBEEF, %eax
13217 + and $THREAD_SIZE_asm - 1, %ecx
13236 + mov TI_task_thread_sp0(%ebp), %edi
13238 + mov %edi, TI_lowest_stack(%ebp)
13243 +ENDPROC(pax_erase_kstack)
13246 +.macro __SAVE_ALL _DS
13250 @@ -224,7 +357,7 @@
13252 CFI_ADJUST_CFA_OFFSET 4
13253 CFI_REL_OFFSET ebx, 0
13254 - movl $(__USER_DS), %edx
13258 movl $(__KERNEL_PERCPU), %edx
13259 @@ -232,6 +365,15 @@
13264 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13265 + __SAVE_ALL __KERNEL_DS
13268 + __SAVE_ALL __USER_DS
13272 .macro RESTORE_INT_REGS
13274 CFI_ADJUST_CFA_OFFSET -4
13275 @@ -352,7 +494,15 @@ check_userspace:
13276 movb PT_CS(%esp), %al
13277 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13278 cmpl $USER_RPL, %eax
13280 +#ifdef CONFIG_PAX_KERNEXEC
13281 + jae resume_userspace
13284 + jmp resume_kernel
13286 jb resume_kernel # not returning to v8086 or userspace
13289 ENTRY(resume_userspace)
13291 @@ -364,7 +514,7 @@ ENTRY(resume_userspace)
13292 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13293 # int/exception return?
13296 + jmp restore_all_pax
13297 END(ret_from_exception)
13299 #ifdef CONFIG_PREEMPT
13300 @@ -414,25 +564,36 @@ sysenter_past_esp:
13301 /*CFI_REL_OFFSET cs, 0*/
13303 * Push current_thread_info()->sysenter_return to the stack.
13304 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13305 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
13307 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
13309 CFI_ADJUST_CFA_OFFSET 4
13310 CFI_REL_OFFSET eip, 0
13313 CFI_ADJUST_CFA_OFFSET 4
13315 + GET_THREAD_INFO(%ebp)
13316 + movl TI_sysenter_return(%ebp),%ebp
13317 + movl %ebp,PT_EIP(%esp)
13318 ENABLE_INTERRUPTS(CLBR_NONE)
13321 * Load the potential sixth argument from user stack.
13322 * Careful about security.
13324 + movl PT_OLDESP(%esp),%ebp
13326 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13327 + mov PT_OLDSS(%esp),%ds
13328 +1: movl %ds:(%ebp),%ebp
13332 cmpl $__PAGE_OFFSET-3,%ebp
13334 1: movl (%ebp),%ebp
13337 movl %ebp,PT_EBP(%esp)
13338 .section __ex_table,"a"
13340 @@ -455,12 +616,23 @@ sysenter_do_call:
13341 testl $_TIF_ALLWORK_MASK, %ecx
13345 +#ifdef CONFIG_PAX_RANDKSTACK
13347 + call pax_randomize_kstack
13353 /* if something modifies registers it must also disable sysexit */
13354 movl PT_EIP(%esp), %edx
13355 movl PT_OLDESP(%esp), %ecx
13358 1: mov PT_FS(%esp), %fs
13359 +2: mov PT_DS(%esp), %ds
13360 +3: mov PT_ES(%esp), %es
13362 ENABLE_INTERRUPTS_SYSEXIT
13364 @@ -477,6 +649,9 @@ sysenter_audit:
13365 movl %eax,%edx /* 2nd arg: syscall number */
13366 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
13367 call audit_syscall_entry
13372 CFI_ADJUST_CFA_OFFSET 4
13373 movl PT_EAX(%esp),%eax /* reload syscall number */
13374 @@ -504,11 +679,17 @@ sysexit_audit:
13377 .pushsection .fixup,"ax"
13378 -2: movl $0,PT_FS(%esp)
13379 +4: movl $0,PT_FS(%esp)
13381 +5: movl $0,PT_DS(%esp)
13383 +6: movl $0,PT_ES(%esp)
13385 .section __ex_table,"a"
13393 ENDPROC(ia32_sysenter_target)
13394 @@ -538,6 +719,14 @@ syscall_exit:
13395 testl $_TIF_ALLWORK_MASK, %ecx # current->work
13396 jne syscall_exit_work
13400 +#ifdef CONFIG_PAX_RANDKSTACK
13401 + call pax_randomize_kstack
13408 restore_all_notrace:
13409 @@ -602,7 +791,13 @@ ldt_ss:
13410 mov PT_OLDESP(%esp), %eax /* load userspace esp */
13411 mov %dx, %ax /* eax: new kernel esp */
13412 sub %eax, %edx /* offset (low word is 0) */
13413 - PER_CPU(gdt_page, %ebx)
13415 + movl PER_CPU_VAR(cpu_number), %ebx
13416 + shll $PAGE_SHIFT_asm, %ebx
13417 + addl $cpu_gdt_table, %ebx
13419 + movl $cpu_gdt_table, %ebx
13422 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
13423 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
13424 @@ -636,31 +831,25 @@ work_resched:
13425 movl TI_flags(%ebp), %ecx
13426 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
13427 # than syscall tracing?
13429 + jz restore_all_pax
13430 testb $_TIF_NEED_RESCHED, %cl
13433 work_notifysig: # deal with pending signals and
13434 # notify-resume requests
13437 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
13439 - jne work_notifysig_v86 # returning to kernel-space or
13440 + jz 1f # returning to kernel-space or
13443 - call do_notify_resume
13444 - jmp resume_userspace_sig
13447 -work_notifysig_v86:
13448 pushl %ecx # save ti_flags for do_notify_resume
13449 CFI_ADJUST_CFA_OFFSET 4
13450 call save_v86_state # %eax contains pt_regs pointer
13452 CFI_ADJUST_CFA_OFFSET -4
13459 call do_notify_resume
13460 @@ -673,6 +862,9 @@ syscall_trace_entry:
13461 movl $-ENOSYS,PT_EAX(%esp)
13463 call syscall_trace_enter
13467 /* What it returned is what we'll actually use. */
13468 cmpl $(nr_syscalls), %eax
13470 @@ -695,6 +887,10 @@ END(syscall_exit_work)
13472 RING0_INT_FRAME # can't unwind into user space anyway
13474 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13478 GET_THREAD_INFO(%ebp)
13479 movl $-EFAULT,PT_EAX(%esp)
13480 jmp resume_userspace
13481 @@ -726,6 +922,33 @@ PTREGSCALL(rt_sigreturn)
13483 PTREGSCALL(vm86old)
13486 +ENTRY(kernel_execve)
13488 + sub $PT_OLDSS+4,%esp
13492 + lea 3*4(%esp),%edi
13493 + mov $PT_OLDSS/4+1,%ecx
13499 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
13500 + mov %eax,PT_EBX(%esp)
13501 + mov %edx,PT_ECX(%esp)
13502 + mov %ecx,PT_EDX(%esp)
13505 + GET_THREAD_INFO(%ebp)
13508 + add $PT_OLDSS+4,%esp
13512 .macro FIXUP_ESPFIX_STACK
13514 * Switch back for ESPFIX stack to the normal zerobased stack
13515 @@ -735,7 +958,13 @@ PTREGSCALL(vm86old)
13516 * normal stack and adjusts ESP with the matching offset.
13518 /* fixup the stack */
13519 - PER_CPU(gdt_page, %ebx)
13521 + movl PER_CPU_VAR(cpu_number), %ebx
13522 + shll $PAGE_SHIFT_asm, %ebx
13523 + addl $cpu_gdt_table, %ebx
13525 + movl $cpu_gdt_table, %ebx
13527 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
13528 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
13530 @@ -1198,7 +1427,6 @@ return_to_handler:
13534 -.section .rodata,"a"
13535 #include "syscall_table_32.S"
13537 syscall_table_size=(.-sys_call_table)
13538 @@ -1255,9 +1483,12 @@ error_code:
13539 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
13542 - movl $(__USER_DS), %ecx
13543 + movl $(__KERNEL_DS), %ecx
13550 movl %esp,%eax # pt_regs pointer
13552 @@ -1351,6 +1582,9 @@ nmi_stack_correct:
13553 xorl %edx,%edx # zero error code
13554 movl %esp,%eax # pt_regs pointer
13559 jmp restore_all_notrace
13562 @@ -1391,6 +1625,9 @@ nmi_espfix_stack:
13563 FIXUP_ESPFIX_STACK # %eax == %esp
13564 xorl %edx,%edx # zero error code
13570 lss 12+4(%esp), %esp # back to espfix stack
13571 CFI_ADJUST_CFA_OFFSET -24
13572 diff -urNp linux-2.6.32.43/arch/x86/kernel/entry_64.S linux-2.6.32.43/arch/x86/kernel/entry_64.S
13573 --- linux-2.6.32.43/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400
13574 +++ linux-2.6.32.43/arch/x86/kernel/entry_64.S 2011-06-04 20:30:53.000000000 -0400
13576 #include <asm/paravirt.h>
13577 #include <asm/ftrace.h>
13578 #include <asm/percpu.h>
13579 +#include <asm/pgtable.h>
13581 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
13582 #include <linux/elf-em.h>
13583 @@ -174,6 +175,257 @@ ENTRY(native_usergs_sysret64)
13584 ENDPROC(native_usergs_sysret64)
13585 #endif /* CONFIG_PARAVIRT */
13587 + .macro ljmpq sel, off
13588 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
13589 + .byte 0x48; ljmp *1234f(%rip)
13590 + .pushsection .rodata
13592 + 1234: .quad \off; .word \sel
13601 + .macro pax_enter_kernel
13602 +#ifdef CONFIG_PAX_KERNEXEC
13603 + call pax_enter_kernel
13607 + .macro pax_exit_kernel
13608 +#ifdef CONFIG_PAX_KERNEXEC
13609 + call pax_exit_kernel
13613 +#ifdef CONFIG_PAX_KERNEXEC
13614 +ENTRY(pax_enter_kernel)
13617 +#ifdef CONFIG_PARAVIRT
13618 + PV_SAVE_REGS(CLBR_RDI)
13625 + cmp $__KERNEL_CS,%edi
13627 + ljmpq __KERNEL_CS,3f
13628 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
13629 +2: SET_RDI_INTO_CR0
13632 +#ifdef CONFIG_PARAVIRT
13633 + PV_RESTORE_REGS(CLBR_RDI)
13638 +ENDPROC(pax_enter_kernel)
13640 +ENTRY(pax_exit_kernel)
13643 +#ifdef CONFIG_PARAVIRT
13644 + PV_SAVE_REGS(CLBR_RDI)
13648 + cmp $__KERNEXEC_KERNEL_CS,%edi
13652 + ljmpq __KERNEL_CS,1f
13653 +1: SET_RDI_INTO_CR0
13656 +#ifdef CONFIG_PARAVIRT
13657 + PV_RESTORE_REGS(CLBR_RDI);
13662 +ENDPROC(pax_exit_kernel)
13665 + .macro pax_enter_kernel_user
13666 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13667 + call pax_enter_kernel_user
13671 + .macro pax_exit_kernel_user
13672 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13673 + call pax_exit_kernel_user
13675 +#ifdef CONFIG_PAX_RANDKSTACK
13677 + call pax_randomize_kstack
13683 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13684 +ENTRY(pax_enter_kernel_user)
13688 +#ifdef CONFIG_PARAVIRT
13689 + PV_SAVE_REGS(CLBR_RDI)
13694 + add $__START_KERNEL_map,%rbx
13695 + sub phys_base(%rip),%rbx
13697 +#ifdef CONFIG_PARAVIRT
13699 + cmpl $0, pv_info+PARAVIRT_enabled
13702 + .rept USER_PGD_PTRS
13703 + mov i*8(%rbx),%rsi
13705 + lea i*8(%rbx),%rdi
13706 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
13714 + .rept USER_PGD_PTRS
13715 + movb $0,i*8(%rbx)
13719 +#ifdef CONFIG_PARAVIRT
13724 +#ifdef CONFIG_PAX_KERNEXEC
13730 +#ifdef CONFIG_PARAVIRT
13731 + PV_RESTORE_REGS(CLBR_RDI)
13737 +ENDPROC(pax_enter_kernel_user)
13739 +ENTRY(pax_exit_kernel_user)
13742 +#ifdef CONFIG_PARAVIRT
13744 + PV_SAVE_REGS(CLBR_RDI)
13747 +#ifdef CONFIG_PAX_KERNEXEC
13754 + add $__START_KERNEL_map,%rdi
13755 + sub phys_base(%rip),%rdi
13757 +#ifdef CONFIG_PARAVIRT
13758 + cmpl $0, pv_info+PARAVIRT_enabled
13762 + .rept USER_PGD_PTRS
13763 + mov i*8(%rbx),%rsi
13765 + lea i*8(%rbx),%rdi
13766 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
13774 + .rept USER_PGD_PTRS
13775 + movb $0x67,i*8(%rdi)
13779 +#ifdef CONFIG_PARAVIRT
13780 +2: PV_RESTORE_REGS(CLBR_RDI)
13786 +ENDPROC(pax_exit_kernel_user)
13789 +.macro pax_erase_kstack
13790 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13791 + call pax_erase_kstack
13795 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13797 + * r10: thread_info
13798 + * rcx, rdx: can be clobbered
13800 +ENTRY(pax_erase_kstack)
13804 + GET_THREAD_INFO(%r10)
13805 + mov TI_lowest_stack(%r10), %rdi
13806 + mov $-0xBEEF, %rax
13810 + and $THREAD_SIZE_asm - 1, %ecx
13829 + mov TI_task_thread_sp0(%r10), %rdi
13831 + mov %rdi, TI_lowest_stack(%r10)
13836 +ENDPROC(pax_erase_kstack)
13839 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
13840 #ifdef CONFIG_TRACE_IRQFLAGS
13841 @@ -317,7 +569,7 @@ ENTRY(save_args)
13842 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
13843 movq_cfi rbp, 8 /* push %rbp */
13844 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
13845 - testl $3, CS(%rdi)
13846 + testb $3, CS(%rdi)
13850 @@ -409,7 +661,7 @@ ENTRY(ret_from_fork)
13854 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
13855 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
13856 je int_ret_from_sys_call
13858 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
13859 @@ -455,7 +707,7 @@ END(ret_from_fork)
13861 CFI_STARTPROC simple
13863 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
13864 + CFI_DEF_CFA rsp,0
13865 CFI_REGISTER rip,rcx
13866 /*CFI_REGISTER rflags,r11*/
13867 SWAPGS_UNSAFE_STACK
13868 @@ -468,12 +720,13 @@ ENTRY(system_call_after_swapgs)
13870 movq %rsp,PER_CPU_VAR(old_rsp)
13871 movq PER_CPU_VAR(kernel_stack),%rsp
13872 + pax_enter_kernel_user
13874 * No need to follow this irqs off/on section - it's straight
13877 ENABLE_INTERRUPTS(CLBR_NONE)
13880 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
13881 movq %rcx,RIP-ARGOFFSET(%rsp)
13882 CFI_REL_OFFSET rip,RIP-ARGOFFSET
13883 @@ -502,6 +755,7 @@ sysret_check:
13887 + pax_exit_kernel_user
13889 * sysretq will re-enable interrupts:
13891 @@ -562,6 +816,9 @@ auditsys:
13892 movq %rax,%rsi /* 2nd arg: syscall number */
13893 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
13894 call audit_syscall_entry
13898 LOAD_ARGS 0 /* reload call-clobbered registers */
13899 jmp system_call_fastpath
13901 @@ -592,6 +849,9 @@ tracesys:
13902 FIXUP_TOP_OF_STACK %rdi
13904 call syscall_trace_enter
13909 * Reload arg registers from stack in case ptrace changed them.
13910 * We don't reload %rax because syscall_trace_enter() returned
13911 @@ -613,7 +873,7 @@ tracesys:
13912 GLOBAL(int_ret_from_sys_call)
13913 DISABLE_INTERRUPTS(CLBR_NONE)
13915 - testl $3,CS-ARGOFFSET(%rsp)
13916 + testb $3,CS-ARGOFFSET(%rsp)
13917 je retint_restore_args
13918 movl $_TIF_ALLWORK_MASK,%edi
13919 /* edi: mask to check */
13920 @@ -800,6 +1060,16 @@ END(interrupt)
13921 CFI_ADJUST_CFA_OFFSET 10*8
13924 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13925 + testb $3, CS(%rdi)
13929 +1: pax_enter_kernel_user
13937 @@ -822,7 +1092,7 @@ ret_from_intr:
13938 CFI_ADJUST_CFA_OFFSET -8
13940 GET_THREAD_INFO(%rcx)
13941 - testl $3,CS-ARGOFFSET(%rsp)
13942 + testb $3,CS-ARGOFFSET(%rsp)
13945 /* Interrupt came from user space */
13946 @@ -844,12 +1114,14 @@ retint_swapgs: /* return to user-space
13947 * The iretq could re-enable interrupts:
13949 DISABLE_INTERRUPTS(CLBR_ANY)
13950 + pax_exit_kernel_user
13955 retint_restore_args: /* return to kernel space */
13956 DISABLE_INTERRUPTS(CLBR_ANY)
13959 * The iretq could re-enable interrupts:
13961 @@ -1032,6 +1304,16 @@ ENTRY(\sym)
13962 CFI_ADJUST_CFA_OFFSET 15*8
13965 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13966 + testb $3, CS(%rsp)
13970 +1: pax_enter_kernel_user
13975 movq %rsp,%rdi /* pt_regs pointer */
13976 xorl %esi,%esi /* no error code */
13978 @@ -1049,6 +1331,16 @@ ENTRY(\sym)
13982 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13983 + testb $3, CS(%rsp)
13987 +1: pax_enter_kernel_user
13992 movq %rsp,%rdi /* pt_regs pointer */
13993 xorl %esi,%esi /* no error code */
13995 @@ -1066,9 +1358,24 @@ ENTRY(\sym)
13999 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14000 + testb $3, CS(%rsp)
14004 +1: pax_enter_kernel_user
14009 movq %rsp,%rdi /* pt_regs pointer */
14010 xorl %esi,%esi /* no error code */
14011 - PER_CPU(init_tss, %rbp)
14013 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
14014 + lea init_tss(%rbp), %rbp
14016 + lea init_tss(%rip), %rbp
14018 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14020 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14021 @@ -1085,6 +1392,16 @@ ENTRY(\sym)
14022 CFI_ADJUST_CFA_OFFSET 15*8
14025 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14026 + testb $3, CS(%rsp)
14030 +1: pax_enter_kernel_user
14035 movq %rsp,%rdi /* pt_regs pointer */
14036 movq ORIG_RAX(%rsp),%rsi /* get error code */
14037 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14038 @@ -1104,6 +1421,16 @@ ENTRY(\sym)
14042 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14043 + testb $3, CS(%rsp)
14047 +1: pax_enter_kernel_user
14052 movq %rsp,%rdi /* pt_regs pointer */
14053 movq ORIG_RAX(%rsp),%rsi /* get error code */
14054 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14055 @@ -1405,14 +1732,27 @@ ENTRY(paranoid_exit)
14057 testl %ebx,%ebx /* swapgs needed? */
14058 jnz paranoid_restore
14059 - testl $3,CS(%rsp)
14060 + testb $3,CS(%rsp)
14061 jnz paranoid_userspace
14062 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14064 + TRACE_IRQS_IRETQ 0
14065 + SWAPGS_UNSAFE_STACK
14070 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14071 + pax_exit_kernel_user
14076 SWAPGS_UNSAFE_STACK
14084 @@ -1470,7 +1810,7 @@ ENTRY(error_entry)
14085 movq_cfi r14, R14+8
14086 movq_cfi r15, R15+8
14088 - testl $3,CS+8(%rsp)
14089 + testb $3,CS+8(%rsp)
14090 je error_kernelspace
14093 @@ -1529,6 +1869,16 @@ ENTRY(nmi)
14094 CFI_ADJUST_CFA_OFFSET 15*8
14097 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14098 + testb $3, CS(%rsp)
14102 +1: pax_enter_kernel_user
14107 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14110 @@ -1539,11 +1889,25 @@ ENTRY(nmi)
14111 DISABLE_INTERRUPTS(CLBR_NONE)
14112 testl %ebx,%ebx /* swapgs needed? */
14114 - testl $3,CS(%rsp)
14115 + testb $3,CS(%rsp)
14117 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14119 + SWAPGS_UNSAFE_STACK
14124 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14125 + pax_exit_kernel_user
14129 SWAPGS_UNSAFE_STACK
14137 diff -urNp linux-2.6.32.43/arch/x86/kernel/ftrace.c linux-2.6.32.43/arch/x86/kernel/ftrace.c
14138 --- linux-2.6.32.43/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400
14139 +++ linux-2.6.32.43/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400
14140 @@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
14141 static void *mod_code_newcode; /* holds the text to write to the IP */
14143 static unsigned nmi_wait_count;
14144 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14145 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14147 int ftrace_arch_read_dyn_info(char *buf, int size)
14149 @@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14151 r = snprintf(buf, size, "%u %u",
14153 - atomic_read(&nmi_update_count));
14154 + atomic_read_unchecked(&nmi_update_count));
14158 @@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
14160 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14162 + pax_open_kernel();
14164 - atomic_inc(&nmi_update_count);
14165 + pax_close_kernel();
14166 + atomic_inc_unchecked(&nmi_update_count);
14168 /* Must have previous changes seen before executions */
14170 @@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
14174 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
14175 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
14177 static unsigned char *ftrace_nop_replace(void)
14179 @@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
14181 unsigned char replaced[MCOUNT_INSN_SIZE];
14183 + ip = ktla_ktva(ip);
14186 * Note: Due to modules and __init, code can
14187 * disappear and change, we need to protect against faulting
14188 @@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
14189 unsigned char old[MCOUNT_INSN_SIZE], *new;
14192 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
14193 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
14194 new = ftrace_call_replace(ip, (unsigned long)func);
14195 ret = ftrace_modify_code(ip, old, new);
14197 @@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
14200 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
14201 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
14202 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
14205 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
14206 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
14207 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
14210 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
14211 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
14212 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
14216 @@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
14218 unsigned char code[MCOUNT_INSN_SIZE];
14220 + ip = ktla_ktva(ip);
14222 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
14225 diff -urNp linux-2.6.32.43/arch/x86/kernel/head32.c linux-2.6.32.43/arch/x86/kernel/head32.c
14226 --- linux-2.6.32.43/arch/x86/kernel/head32.c 2011-03-27 14:31:47.000000000 -0400
14227 +++ linux-2.6.32.43/arch/x86/kernel/head32.c 2011-04-17 15:56:46.000000000 -0400
14229 #include <asm/apic.h>
14230 #include <asm/io_apic.h>
14231 #include <asm/bios_ebda.h>
14232 +#include <asm/boot.h>
14234 static void __init i386_default_early_setup(void)
14236 @@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
14238 reserve_trampoline_memory();
14240 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14241 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14243 #ifdef CONFIG_BLK_DEV_INITRD
14244 /* Reserve INITRD */
14245 diff -urNp linux-2.6.32.43/arch/x86/kernel/head_32.S linux-2.6.32.43/arch/x86/kernel/head_32.S
14246 --- linux-2.6.32.43/arch/x86/kernel/head_32.S 2011-03-27 14:31:47.000000000 -0400
14247 +++ linux-2.6.32.43/arch/x86/kernel/head_32.S 2011-07-06 19:53:33.000000000 -0400
14248 @@ -19,10 +19,17 @@
14249 #include <asm/setup.h>
14250 #include <asm/processor-flags.h>
14251 #include <asm/percpu.h>
14252 +#include <asm/msr-index.h>
14254 /* Physical address */
14255 #define pa(X) ((X) - __PAGE_OFFSET)
14257 +#ifdef CONFIG_PAX_KERNEXEC
14260 +#define ta(X) ((X) - __PAGE_OFFSET)
14264 * References to members of the new_cpu_data structure.
14267 * and small than max_low_pfn, otherwise will waste some page table entries
14270 -#if PTRS_PER_PMD > 1
14271 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
14273 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
14275 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
14277 /* Enough space to fit pagetables for the low memory linear map */
14278 MAPPING_BEYOND_END = \
14279 @@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
14280 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14283 + * Real beginning of normal "text" segment
14289 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
14290 * %esi points to the real-mode code as a 32-bit pointer.
14291 * CS and DS must be 4 GB flat segments, but we don't depend on
14292 @@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14297 +#ifdef CONFIG_PAX_KERNEXEC
14299 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
14300 +.fill PAGE_SIZE-5,1,0xcc
14304 + movl pa(stack_start),%ecx
14306 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
14307 us to not reload segments */
14308 testb $(1<<6), BP_loadflags(%esi)
14309 @@ -95,7 +113,60 @@ ENTRY(startup_32)
14315 + leal -__PAGE_OFFSET(%ecx),%esp
14318 + movl $pa(cpu_gdt_table),%edi
14319 + movl $__per_cpu_load,%eax
14320 + movw %ax,__KERNEL_PERCPU + 2(%edi)
14322 + movb %al,__KERNEL_PERCPU + 4(%edi)
14323 + movb %ah,__KERNEL_PERCPU + 7(%edi)
14324 + movl $__per_cpu_end - 1,%eax
14325 + subl $__per_cpu_start,%eax
14326 + movw %ax,__KERNEL_PERCPU + 0(%edi)
14329 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14330 + movl $NR_CPUS,%ecx
14331 + movl $pa(cpu_gdt_table),%edi
14333 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
14334 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
14335 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
14336 + addl $PAGE_SIZE_asm,%edi
14340 +#ifdef CONFIG_PAX_KERNEXEC
14341 + movl $pa(boot_gdt),%edi
14342 + movl $__LOAD_PHYSICAL_ADDR,%eax
14343 + movw %ax,__BOOT_CS + 2(%edi)
14345 + movb %al,__BOOT_CS + 4(%edi)
14346 + movb %ah,__BOOT_CS + 7(%edi)
14349 + ljmp $(__BOOT_CS),$1f
14352 + movl $NR_CPUS,%ecx
14353 + movl $pa(cpu_gdt_table),%edi
14354 + addl $__PAGE_OFFSET,%eax
14356 + movw %ax,__KERNEL_CS + 2(%edi)
14357 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
14359 + movb %al,__KERNEL_CS + 4(%edi)
14360 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
14361 + movb %ah,__KERNEL_CS + 7(%edi)
14362 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
14364 + addl $PAGE_SIZE_asm,%edi
14369 * Clear BSS first so that there are no surprises...
14370 @@ -140,9 +211,7 @@ ENTRY(startup_32)
14371 cmpl $num_subarch_entries, %eax
14374 - movl pa(subarch_entries)(,%eax,4), %eax
14375 - subl $__PAGE_OFFSET, %eax
14377 + jmp *pa(subarch_entries)(,%eax,4)
14381 @@ -154,10 +223,10 @@ WEAK(xen_entry)
14385 - .long default_entry /* normal x86/PC */
14386 - .long lguest_entry /* lguest hypervisor */
14387 - .long xen_entry /* Xen hypervisor */
14388 - .long default_entry /* Moorestown MID */
14389 + .long ta(default_entry) /* normal x86/PC */
14390 + .long ta(lguest_entry) /* lguest hypervisor */
14391 + .long ta(xen_entry) /* Xen hypervisor */
14392 + .long ta(default_entry) /* Moorestown MID */
14393 num_subarch_entries = (. - subarch_entries) / 4
14395 #endif /* CONFIG_PARAVIRT */
14396 @@ -218,8 +287,11 @@ default_entry:
14397 movl %eax, pa(max_pfn_mapped)
14399 /* Do early initialization of the fixmap area */
14400 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14401 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14402 +#ifdef CONFIG_COMPAT_VDSO
14403 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14405 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14407 #else /* Not PAE */
14409 page_pde_offset = (__PAGE_OFFSET >> 20);
14410 @@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
14411 movl %eax, pa(max_pfn_mapped)
14413 /* Do early initialization of the fixmap area */
14414 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14415 - movl %eax,pa(swapper_pg_dir+0xffc)
14416 +#ifdef CONFIG_COMPAT_VDSO
14417 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
14419 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
14424 @@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
14428 + movl pa(stack_start),%ecx
14430 + leal -__PAGE_OFFSET(%ecx),%esp
14431 #endif /* CONFIG_SMP */
14434 @@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
14438 +#ifdef CONFIG_X86_PAE
14439 btl $5, %eax # check if PAE is enabled
14442 @@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
14444 cmpl $0x80000000, %eax
14447 + /* Clear bogus XD_DISABLE bits */
14450 mov $0x80000001, %eax
14452 /* Execute Disable bit supported? */
14453 @@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
14456 /* Setup EFER (Extended Feature Enable Register) */
14457 - movl $0xc0000080, %ecx
14458 + movl $MSR_EFER, %ecx
14462 /* Make changes effective */
14465 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
14466 + movl $1,pa(nx_enabled)
14472 @@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
14473 movl %eax,%cr0 /* ..and set paging (PG) bit */
14474 ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
14476 - /* Set up the stack pointer */
14477 - lss stack_start,%esp
14478 + /* Shift the stack pointer to a virtual address */
14479 + addl $__PAGE_OFFSET, %esp
14482 * Initialize eflags. Some BIOS's leave bits like NT set. This would
14483 @@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
14487 - jz 1f /* Initial CPU cleans BSS */
14491 #endif /* CONFIG_SMP */
14494 @@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
14495 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
14496 movl %eax,%ss # after changing gdt.
14498 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
14499 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
14503 @@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
14507 - movl $per_cpu__gdt_page,%eax
14508 + movl $cpu_gdt_table,%eax
14509 movl $per_cpu__stack_canary,%ecx
14511 + addl $__per_cpu_load,%ecx
14513 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
14515 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
14516 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
14519 movl $(__KERNEL_STACK_CANARY),%eax
14520 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14521 + movl $(__USER_DS),%eax
14527 xorl %eax,%eax # Clear LDT
14528 @@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
14530 cld # gcc2 wants the direction flag cleared at all times
14531 pushl $0 # fake return address for unwinder
14535 - cmpb $0,%cl # the first CPU calls start_kernel
14537 - movl (stack_start), %esp
14539 -#endif /* CONFIG_SMP */
14540 jmp *(initial_code)
14543 @@ -546,22 +631,22 @@ early_page_fault:
14548 #ifdef CONFIG_PRINTK
14549 + cmpl $1,%ss:early_recursion_flag
14551 + incl %ss:early_recursion_flag
14554 movl $(__KERNEL_DS),%eax
14557 - cmpl $2,early_recursion_flag
14559 - incl early_recursion_flag
14562 pushl %edx /* trapno */
14571 @@ -569,8 +654,11 @@ hlt_loop:
14572 /* This is the default interrupt "handler" :-) */
14576 #ifdef CONFIG_PRINTK
14577 + cmpl $2,%ss:early_recursion_flag
14579 + incl %ss:early_recursion_flag
14584 @@ -579,9 +667,6 @@ ignore_int:
14585 movl $(__KERNEL_DS),%eax
14588 - cmpl $2,early_recursion_flag
14590 - incl early_recursion_flag
14594 @@ -600,6 +685,8 @@ ignore_int:
14598 +#include "verify_cpu.S"
14602 ENTRY(initial_code)
14603 @@ -610,31 +697,47 @@ ENTRY(initial_page_table)
14607 -__PAGE_ALIGNED_BSS
14608 - .align PAGE_SIZE_asm
14609 #ifdef CONFIG_X86_PAE
14610 +.section .swapper_pg_pmd,"a",@progbits
14612 .fill 1024*KPMDS,4,0
14614 +.section .swapper_pg_dir,"a",@progbits
14615 ENTRY(swapper_pg_dir)
14618 +.section .swapper_pg_fixmap,"a",@progbits
14621 #ifdef CONFIG_X86_TRAMPOLINE
14622 +.section .trampoline_pg_dir,"a",@progbits
14623 ENTRY(trampoline_pg_dir)
14624 +#ifdef CONFIG_X86_PAE
14631 +.section .empty_zero_page,"a",@progbits
14632 ENTRY(empty_zero_page)
14636 + * The IDT has to be page-aligned to simplify the Pentium
14637 + * F0 0F bug workaround.. We have a special link segment
14640 +.section .idt,"a",@progbits
14645 * This starts the data section.
14647 #ifdef CONFIG_X86_PAE
14648 -__PAGE_ALIGNED_DATA
14649 - /* Page-aligned for the benefit of paravirt? */
14650 - .align PAGE_SIZE_asm
14651 +.section .swapper_pg_dir,"a",@progbits
14653 ENTRY(swapper_pg_dir)
14654 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
14656 @@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
14657 # error "Kernel PMDs should be 1, 2 or 3"
14659 .align PAGE_SIZE_asm /* needs to be page-sized too */
14661 +#ifdef CONFIG_PAX_PER_CPU_PGD
14673 - .long init_thread_union+THREAD_SIZE
14675 + .long init_thread_union+THREAD_SIZE-8
14679 +.section .rodata,"a",@progbits
14680 early_recursion_flag:
14683 @@ -697,7 +809,7 @@ fault_msg:
14684 .word 0 # 32 bit align gdt_desc.address
14687 - .long boot_gdt - __PAGE_OFFSET
14688 + .long pa(boot_gdt)
14690 .word 0 # 32-bit align idt_desc.address
14692 @@ -708,7 +820,7 @@ idt_descr:
14693 .word 0 # 32 bit align gdt_desc.address
14694 ENTRY(early_gdt_descr)
14695 .word GDT_ENTRIES*8-1
14696 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
14697 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
14700 * The boot_gdt must mirror the equivalent in setup.S and is
14701 @@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
14702 .align L1_CACHE_BYTES
14704 .fill GDT_ENTRY_BOOT_CS,8,0
14705 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
14706 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
14707 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
14708 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
14710 + .align PAGE_SIZE_asm
14711 +ENTRY(cpu_gdt_table)
14713 + .quad 0x0000000000000000 /* NULL descriptor */
14714 + .quad 0x0000000000000000 /* 0x0b reserved */
14715 + .quad 0x0000000000000000 /* 0x13 reserved */
14716 + .quad 0x0000000000000000 /* 0x1b reserved */
14718 +#ifdef CONFIG_PAX_KERNEXEC
14719 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
14721 + .quad 0x0000000000000000 /* 0x20 unused */
14724 + .quad 0x0000000000000000 /* 0x28 unused */
14725 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
14726 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
14727 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
14728 + .quad 0x0000000000000000 /* 0x4b reserved */
14729 + .quad 0x0000000000000000 /* 0x53 reserved */
14730 + .quad 0x0000000000000000 /* 0x5b reserved */
14732 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
14733 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
14734 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
14735 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
14737 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
14738 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
14741 + * Segments used for calling PnP BIOS have byte granularity.
14742 + * The code segments and data segments have fixed 64k limits,
14743 + * the transfer segment sizes are set at run time.
14745 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
14746 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
14747 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
14748 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
14749 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
14752 + * The APM segments have byte granularity and their bases
14753 + * are set at run time. All have 64k limits.
14755 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
14756 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
14757 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
14759 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
14760 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
14761 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
14762 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
14763 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
14764 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
14766 + /* Be sure this is zeroed to avoid false validations in Xen */
14767 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
14769 diff -urNp linux-2.6.32.43/arch/x86/kernel/head_64.S linux-2.6.32.43/arch/x86/kernel/head_64.S
14770 --- linux-2.6.32.43/arch/x86/kernel/head_64.S 2011-03-27 14:31:47.000000000 -0400
14771 +++ linux-2.6.32.43/arch/x86/kernel/head_64.S 2011-04-17 15:56:46.000000000 -0400
14773 #include <asm/cache.h>
14774 #include <asm/processor-flags.h>
14775 #include <asm/percpu.h>
14776 +#include <asm/cpufeature.h>
14778 #ifdef CONFIG_PARAVIRT
14779 #include <asm/asm-offsets.h>
14780 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
14781 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
14782 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
14783 L3_START_KERNEL = pud_index(__START_KERNEL_map)
14784 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
14785 +L3_VMALLOC_START = pud_index(VMALLOC_START)
14786 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
14787 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
14791 @@ -85,35 +90,22 @@ startup_64:
14793 addq %rbp, init_level4_pgt + 0(%rip)
14794 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
14795 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
14796 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
14797 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
14799 addq %rbp, level3_ident_pgt + 0(%rip)
14800 +#ifndef CONFIG_XEN
14801 + addq %rbp, level3_ident_pgt + 8(%rip)
14804 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
14805 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
14806 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
14808 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
14809 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
14810 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
14812 - /* Add an Identity mapping if I am above 1G */
14813 - leaq _text(%rip), %rdi
14814 - andq $PMD_PAGE_MASK, %rdi
14817 - shrq $PUD_SHIFT, %rax
14818 - andq $(PTRS_PER_PUD - 1), %rax
14819 - jz ident_complete
14821 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
14822 - leaq level3_ident_pgt(%rip), %rbx
14823 - movq %rdx, 0(%rbx, %rax, 8)
14826 - shrq $PMD_SHIFT, %rax
14827 - andq $(PTRS_PER_PMD - 1), %rax
14828 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
14829 - leaq level2_spare_pgt(%rip), %rbx
14830 - movq %rdx, 0(%rbx, %rax, 8)
14832 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
14833 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
14836 * Fixup the kernel text+data virtual addresses. Note that
14837 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
14838 * after the boot processor executes this code.
14841 - /* Enable PAE mode and PGE */
14842 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
14843 + /* Enable PAE mode and PSE/PGE */
14844 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14847 /* Setup early boot stage 4 level pagetables. */
14848 @@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
14849 movl $MSR_EFER, %ecx
14851 btsl $_EFER_SCE, %eax /* Enable System Call */
14852 - btl $20,%edi /* No Execute supported? */
14853 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
14855 btsl $_EFER_NX, %eax
14856 + leaq init_level4_pgt(%rip), %rdi
14857 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
14858 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
14859 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
14860 1: wrmsr /* Make changes effective */
14863 @@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
14864 .quad x86_64_start_kernel
14866 .quad INIT_PER_CPU_VAR(irq_stack_union)
14870 .quad init_thread_union+THREAD_SIZE-8
14877 - .section ".init.text","ax"
14879 #ifdef CONFIG_EARLY_PRINTK
14880 .globl early_idt_handlers
14881 early_idt_handlers:
14882 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
14883 #endif /* EARLY_PRINTK */
14888 #ifdef CONFIG_EARLY_PRINTK
14890 early_recursion_flag:
14894 + .section .rodata,"a",@progbits
14896 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
14899 -#endif /* CONFIG_EARLY_PRINTK */
14901 +#endif /* CONFIG_EARLY_PRINTK */
14903 + .section .rodata,"a",@progbits
14904 #define NEXT_PAGE(name) \
14905 .balign PAGE_SIZE; \
14907 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
14908 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14909 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
14910 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14911 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
14912 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
14913 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
14914 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
14915 .org init_level4_pgt + L4_START_KERNEL*8, 0
14916 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
14917 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
14919 +#ifdef CONFIG_PAX_PER_CPU_PGD
14920 +NEXT_PAGE(cpu_pgd)
14926 NEXT_PAGE(level3_ident_pgt)
14927 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14931 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
14935 +NEXT_PAGE(level3_vmalloc_pgt)
14938 +NEXT_PAGE(level3_vmemmap_pgt)
14939 + .fill L3_VMEMMAP_START,8,0
14940 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
14942 NEXT_PAGE(level3_kernel_pgt)
14943 .fill L3_START_KERNEL,8,0
14944 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
14945 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
14946 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
14948 +NEXT_PAGE(level2_vmemmap_pgt)
14951 NEXT_PAGE(level2_fixmap_pgt)
14953 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
14954 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
14957 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
14958 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
14961 -NEXT_PAGE(level1_fixmap_pgt)
14962 +NEXT_PAGE(level1_vsyscall_pgt)
14965 -NEXT_PAGE(level2_ident_pgt)
14966 - /* Since I easily can, map the first 1G.
14967 + /* Since I easily can, map the first 2G.
14968 * Don't set NX because code runs from these pages.
14970 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
14971 +NEXT_PAGE(level2_ident_pgt)
14972 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
14974 NEXT_PAGE(level2_kernel_pgt)
14976 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
14977 * If you want to increase this then increase MODULES_VADDR
14980 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
14981 - KERNEL_IMAGE_SIZE/PMD_SIZE)
14983 -NEXT_PAGE(level2_spare_pgt)
14985 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
14992 +ENTRY(cpu_gdt_table)
14994 + .quad 0x0000000000000000 /* NULL descriptor */
14995 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
14996 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
14997 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
14998 + .quad 0x00cffb000000ffff /* __USER32_CS */
14999 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15000 + .quad 0x00affb000000ffff /* __USER_CS */
15002 +#ifdef CONFIG_PAX_KERNEXEC
15003 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15005 + .quad 0x0 /* unused */
15008 + .quad 0,0 /* TSS */
15009 + .quad 0,0 /* LDT */
15010 + .quad 0,0,0 /* three TLS descriptors */
15011 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15012 + /* asm/segment.h:GDT_ENTRIES must match this */
15014 + /* zero the remaining page */
15015 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15019 .globl early_gdt_descr
15021 .word GDT_ENTRIES*8-1
15022 early_gdt_descr_base:
15023 - .quad INIT_PER_CPU_VAR(gdt_page)
15024 + .quad cpu_gdt_table
15027 /* This must match the first entry in level2_kernel_pgt */
15028 .quad 0x0000000000000000
15030 #include "../../x86/xen/xen-head.S"
15032 - .section .bss, "aw", @nobits
15034 + .section .rodata,"a",@progbits
15035 .align L1_CACHE_BYTES
15037 - .skip IDT_ENTRIES * 16
15042 diff -urNp linux-2.6.32.43/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.43/arch/x86/kernel/i386_ksyms_32.c
15043 --- linux-2.6.32.43/arch/x86/kernel/i386_ksyms_32.c 2011-03-27 14:31:47.000000000 -0400
15044 +++ linux-2.6.32.43/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:56:46.000000000 -0400
15045 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15046 EXPORT_SYMBOL(cmpxchg8b_emu);
15049 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15051 /* Networking helper routines. */
15052 EXPORT_SYMBOL(csum_partial_copy_generic);
15053 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15054 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15056 EXPORT_SYMBOL(__get_user_1);
15057 EXPORT_SYMBOL(__get_user_2);
15058 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15060 EXPORT_SYMBOL(csum_partial);
15061 EXPORT_SYMBOL(empty_zero_page);
15063 +#ifdef CONFIG_PAX_KERNEXEC
15064 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15066 diff -urNp linux-2.6.32.43/arch/x86/kernel/i8259.c linux-2.6.32.43/arch/x86/kernel/i8259.c
15067 --- linux-2.6.32.43/arch/x86/kernel/i8259.c 2011-03-27 14:31:47.000000000 -0400
15068 +++ linux-2.6.32.43/arch/x86/kernel/i8259.c 2011-05-04 17:56:28.000000000 -0400
15069 @@ -208,7 +208,7 @@ spurious_8259A_irq:
15070 "spurious 8259A interrupt: IRQ%d.\n", irq);
15071 spurious_irq_mask |= irqmask;
15073 - atomic_inc(&irq_err_count);
15074 + atomic_inc_unchecked(&irq_err_count);
15076 * Theoretically we do not have to handle this IRQ,
15077 * but in Linux this does not cause problems and is
15078 diff -urNp linux-2.6.32.43/arch/x86/kernel/init_task.c linux-2.6.32.43/arch/x86/kernel/init_task.c
15079 --- linux-2.6.32.43/arch/x86/kernel/init_task.c 2011-03-27 14:31:47.000000000 -0400
15080 +++ linux-2.6.32.43/arch/x86/kernel/init_task.c 2011-04-17 15:56:46.000000000 -0400
15081 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15082 * way process stacks are handled. This is done by having a special
15083 * "init_task" linker map entry..
15085 -union thread_union init_thread_union __init_task_data =
15086 - { INIT_THREAD_INFO(init_task) };
15087 +union thread_union init_thread_union __init_task_data;
15090 * Initial task structure.
15091 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15092 * section. Since TSS's are completely CPU-local, we want them
15093 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15095 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15097 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15098 +EXPORT_SYMBOL(init_tss);
15099 diff -urNp linux-2.6.32.43/arch/x86/kernel/ioport.c linux-2.6.32.43/arch/x86/kernel/ioport.c
15100 --- linux-2.6.32.43/arch/x86/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
15101 +++ linux-2.6.32.43/arch/x86/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
15103 #include <linux/sched.h>
15104 #include <linux/kernel.h>
15105 #include <linux/capability.h>
15106 +#include <linux/security.h>
15107 #include <linux/errno.h>
15108 #include <linux/types.h>
15109 #include <linux/ioport.h>
15110 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
15112 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15114 +#ifdef CONFIG_GRKERNSEC_IO
15115 + if (turn_on && grsec_disable_privio) {
15116 + gr_handle_ioperm();
15120 if (turn_on && !capable(CAP_SYS_RAWIO))
15123 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
15124 * because the ->io_bitmap_max value must match the bitmap
15127 - tss = &per_cpu(init_tss, get_cpu());
15128 + tss = init_tss + get_cpu();
15130 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
15132 @@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
15134 /* Trying to gain more privileges? */
15136 +#ifdef CONFIG_GRKERNSEC_IO
15137 + if (grsec_disable_privio) {
15138 + gr_handle_iopl();
15142 if (!capable(CAP_SYS_RAWIO))
15145 diff -urNp linux-2.6.32.43/arch/x86/kernel/irq_32.c linux-2.6.32.43/arch/x86/kernel/irq_32.c
15146 --- linux-2.6.32.43/arch/x86/kernel/irq_32.c 2011-03-27 14:31:47.000000000 -0400
15147 +++ linux-2.6.32.43/arch/x86/kernel/irq_32.c 2011-07-06 19:53:33.000000000 -0400
15148 @@ -35,7 +35,7 @@ static int check_stack_overflow(void)
15149 __asm__ __volatile__("andl %%esp,%0" :
15150 "=r" (sp) : "0" (THREAD_SIZE - 1));
15152 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15153 + return sp < STACK_WARN;
15156 static void print_stack_overflow(void)
15157 @@ -54,9 +54,9 @@ static inline void print_stack_overflow(
15158 * per-CPU IRQ handling contexts (thread information and stack)
15161 - struct thread_info tinfo;
15162 - u32 stack[THREAD_SIZE/sizeof(u32)];
15163 -} __attribute__((aligned(PAGE_SIZE)));
15164 + unsigned long previous_esp;
15165 + u32 stack[THREAD_SIZE/sizeof(u32)];
15166 +} __attribute__((aligned(THREAD_SIZE)));
15168 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15169 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
15170 @@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
15172 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15174 - union irq_ctx *curctx, *irqctx;
15175 + union irq_ctx *irqctx;
15176 u32 *isp, arg1, arg2;
15178 - curctx = (union irq_ctx *) current_thread_info();
15179 irqctx = __get_cpu_var(hardirq_ctx);
15182 @@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
15183 * handler) we can't do that and just have to keep using the
15184 * current stack (which is the irq stack already after all)
15186 - if (unlikely(curctx == irqctx))
15187 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15190 /* build the stack frame on the IRQ stack */
15191 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15192 - irqctx->tinfo.task = curctx->tinfo.task;
15193 - irqctx->tinfo.previous_esp = current_stack_pointer;
15194 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15195 + irqctx->previous_esp = current_stack_pointer;
15198 - * Copy the softirq bits in preempt_count so that the
15199 - * softirq checks work in the hardirq context.
15201 - irqctx->tinfo.preempt_count =
15202 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15203 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15204 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15205 + __set_fs(MAKE_MM_SEG(0));
15208 if (unlikely(overflow))
15209 call_on_stack(print_stack_overflow, isp);
15210 @@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
15211 : "0" (irq), "1" (desc), "2" (isp),
15212 "D" (desc->handle_irq)
15213 : "memory", "cc", "ecx");
15215 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15216 + __set_fs(current_thread_info()->addr_limit);
15222 @@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
15224 void __cpuinit irq_ctx_init(int cpu)
15226 - union irq_ctx *irqctx;
15228 if (per_cpu(hardirq_ctx, cpu))
15231 - irqctx = &per_cpu(hardirq_stack, cpu);
15232 - irqctx->tinfo.task = NULL;
15233 - irqctx->tinfo.exec_domain = NULL;
15234 - irqctx->tinfo.cpu = cpu;
15235 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15236 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15238 - per_cpu(hardirq_ctx, cpu) = irqctx;
15240 - irqctx = &per_cpu(softirq_stack, cpu);
15241 - irqctx->tinfo.task = NULL;
15242 - irqctx->tinfo.exec_domain = NULL;
15243 - irqctx->tinfo.cpu = cpu;
15244 - irqctx->tinfo.preempt_count = 0;
15245 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15247 - per_cpu(softirq_ctx, cpu) = irqctx;
15248 + per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
15249 + per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
15251 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15252 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15253 @@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
15254 asmlinkage void do_softirq(void)
15256 unsigned long flags;
15257 - struct thread_info *curctx;
15258 union irq_ctx *irqctx;
15261 @@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
15262 local_irq_save(flags);
15264 if (local_softirq_pending()) {
15265 - curctx = current_thread_info();
15266 irqctx = __get_cpu_var(softirq_ctx);
15267 - irqctx->tinfo.task = curctx->task;
15268 - irqctx->tinfo.previous_esp = current_stack_pointer;
15269 + irqctx->previous_esp = current_stack_pointer;
15271 /* build the stack frame on the softirq stack */
15272 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15273 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15275 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15276 + __set_fs(MAKE_MM_SEG(0));
15279 call_on_stack(__do_softirq, isp);
15281 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15282 + __set_fs(current_thread_info()->addr_limit);
15286 * Shouldnt happen, we returned above if in_interrupt():
15288 diff -urNp linux-2.6.32.43/arch/x86/kernel/irq.c linux-2.6.32.43/arch/x86/kernel/irq.c
15289 --- linux-2.6.32.43/arch/x86/kernel/irq.c 2011-03-27 14:31:47.000000000 -0400
15290 +++ linux-2.6.32.43/arch/x86/kernel/irq.c 2011-05-04 17:56:28.000000000 -0400
15292 #include <asm/mce.h>
15293 #include <asm/hw_irq.h>
15295 -atomic_t irq_err_count;
15296 +atomic_unchecked_t irq_err_count;
15298 /* Function pointer for generic interrupt vector handling */
15299 void (*generic_interrupt_extension)(void) = NULL;
15300 @@ -114,9 +114,9 @@ static int show_other_interrupts(struct
15301 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
15302 seq_printf(p, " Machine check polls\n");
15304 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
15305 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
15306 #if defined(CONFIG_X86_IO_APIC)
15307 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
15308 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
15312 @@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
15314 u64 arch_irq_stat(void)
15316 - u64 sum = atomic_read(&irq_err_count);
15317 + u64 sum = atomic_read_unchecked(&irq_err_count);
15319 #ifdef CONFIG_X86_IO_APIC
15320 - sum += atomic_read(&irq_mis_count);
15321 + sum += atomic_read_unchecked(&irq_mis_count);
15325 diff -urNp linux-2.6.32.43/arch/x86/kernel/kgdb.c linux-2.6.32.43/arch/x86/kernel/kgdb.c
15326 --- linux-2.6.32.43/arch/x86/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
15327 +++ linux-2.6.32.43/arch/x86/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
15328 @@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
15330 /* clear the trace bit */
15331 linux_regs->flags &= ~X86_EFLAGS_TF;
15332 - atomic_set(&kgdb_cpu_doing_single_step, -1);
15333 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
15335 /* set the trace bit if we're stepping */
15336 if (remcomInBuffer[0] == 's') {
15337 linux_regs->flags |= X86_EFLAGS_TF;
15338 kgdb_single_step = 1;
15339 - atomic_set(&kgdb_cpu_doing_single_step,
15340 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
15341 raw_smp_processor_id());
15344 @@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
15348 - if (atomic_read(&kgdb_cpu_doing_single_step) ==
15349 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
15350 raw_smp_processor_id()) {
15351 if (user_mode(regs))
15352 return single_step_cont(regs, args);
15353 @@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
15354 return instruction_pointer(regs);
15357 -struct kgdb_arch arch_kgdb_ops = {
15358 +const struct kgdb_arch arch_kgdb_ops = {
15359 /* Breakpoint instruction: */
15360 .gdb_bpt_instr = { 0xcc },
15361 .flags = KGDB_HW_BREAKPOINT,
15362 diff -urNp linux-2.6.32.43/arch/x86/kernel/kprobes.c linux-2.6.32.43/arch/x86/kernel/kprobes.c
15363 --- linux-2.6.32.43/arch/x86/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
15364 +++ linux-2.6.32.43/arch/x86/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
15365 @@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
15368 } __attribute__((packed)) * jop;
15369 - jop = (struct __arch_jmp_op *)from;
15371 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
15373 + pax_open_kernel();
15374 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
15375 jop->op = RELATIVEJUMP_INSTRUCTION;
15376 + pax_close_kernel();
15380 @@ -193,7 +197,7 @@ static int __kprobes can_boost(kprobe_op
15381 kprobe_opcode_t opcode;
15382 kprobe_opcode_t *orig_opcodes = opcodes;
15384 - if (search_exception_tables((unsigned long)opcodes))
15385 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
15386 return 0; /* Page fault may occur on this address. */
15389 @@ -337,7 +341,9 @@ static void __kprobes fix_riprel(struct
15390 disp = (u8 *) p->addr + *((s32 *) insn) -
15391 (u8 *) p->ainsn.insn;
15392 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
15393 + pax_open_kernel();
15394 *(s32 *)insn = (s32) disp;
15395 + pax_close_kernel();
15399 @@ -345,16 +351,18 @@ static void __kprobes fix_riprel(struct
15401 static void __kprobes arch_copy_kprobe(struct kprobe *p)
15403 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15404 + pax_open_kernel();
15405 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15406 + pax_close_kernel();
15410 - if (can_boost(p->addr))
15411 + if (can_boost(ktla_ktva(p->addr)))
15412 p->ainsn.boostable = 0;
15414 p->ainsn.boostable = -1;
15416 - p->opcode = *p->addr;
15417 + p->opcode = *(ktla_ktva(p->addr));
15420 int __kprobes arch_prepare_kprobe(struct kprobe *p)
15421 @@ -432,7 +440,7 @@ static void __kprobes prepare_singlestep
15422 if (p->opcode == BREAKPOINT_INSTRUCTION)
15423 regs->ip = (unsigned long)p->addr;
15425 - regs->ip = (unsigned long)p->ainsn.insn;
15426 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15429 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
15430 @@ -453,7 +461,7 @@ static void __kprobes setup_singlestep(s
15431 if (p->ainsn.boostable == 1 && !p->post_handler) {
15432 /* Boost up -- we can execute copied instructions directly */
15433 reset_current_kprobe();
15434 - regs->ip = (unsigned long)p->ainsn.insn;
15435 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15436 preempt_enable_no_resched();
15439 @@ -523,7 +531,7 @@ static int __kprobes kprobe_handler(stru
15440 struct kprobe_ctlblk *kcb;
15442 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
15443 - if (*addr != BREAKPOINT_INSTRUCTION) {
15444 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
15446 * The breakpoint instruction was removed right
15447 * after we hit it. Another cpu has removed
15448 @@ -775,7 +783,7 @@ static void __kprobes resume_execution(s
15449 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
15451 unsigned long *tos = stack_addr(regs);
15452 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
15453 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
15454 unsigned long orig_ip = (unsigned long)p->addr;
15455 kprobe_opcode_t *insn = p->ainsn.insn;
15457 @@ -958,7 +966,7 @@ int __kprobes kprobe_exceptions_notify(s
15458 struct die_args *args = data;
15459 int ret = NOTIFY_DONE;
15461 - if (args->regs && user_mode_vm(args->regs))
15462 + if (args->regs && user_mode(args->regs))
15466 diff -urNp linux-2.6.32.43/arch/x86/kernel/ldt.c linux-2.6.32.43/arch/x86/kernel/ldt.c
15467 --- linux-2.6.32.43/arch/x86/kernel/ldt.c 2011-03-27 14:31:47.000000000 -0400
15468 +++ linux-2.6.32.43/arch/x86/kernel/ldt.c 2011-04-17 15:56:46.000000000 -0400
15469 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
15474 + load_LDT_nolock(pc);
15475 if (!cpumask_equal(mm_cpumask(current->mm),
15476 cpumask_of(smp_processor_id())))
15477 smp_call_function(flush_ldt, current->mm, 1);
15481 + load_LDT_nolock(pc);
15485 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
15488 for (i = 0; i < old->size; i++)
15489 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
15490 + write_ldt_entry(new->ldt, i, old->ldt + i);
15494 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
15495 retval = copy_ldt(&mm->context, &old_mm->context);
15496 mutex_unlock(&old_mm->context.lock);
15499 + if (tsk == current) {
15500 + mm->context.vdso = 0;
15502 +#ifdef CONFIG_X86_32
15503 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15504 + mm->context.user_cs_base = 0UL;
15505 + mm->context.user_cs_limit = ~0UL;
15507 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
15508 + cpus_clear(mm->context.cpu_user_cs_mask);
15519 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
15523 +#ifdef CONFIG_PAX_SEGMEXEC
15524 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
15530 fill_ldt(&ldt, &ldt_info);
15533 diff -urNp linux-2.6.32.43/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.43/arch/x86/kernel/machine_kexec_32.c
15534 --- linux-2.6.32.43/arch/x86/kernel/machine_kexec_32.c 2011-03-27 14:31:47.000000000 -0400
15535 +++ linux-2.6.32.43/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:56:46.000000000 -0400
15537 #include <asm/system.h>
15538 #include <asm/cacheflush.h>
15540 -static void set_idt(void *newidt, __u16 limit)
15541 +static void set_idt(struct desc_struct *newidt, __u16 limit)
15543 struct desc_ptr curidt;
15545 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
15549 -static void set_gdt(void *newgdt, __u16 limit)
15550 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
15552 struct desc_ptr curgdt;
15554 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
15557 control_page = page_address(image->control_code_page);
15558 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
15559 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
15561 relocate_kernel_ptr = control_page;
15562 page_list[PA_CONTROL_PAGE] = __pa(control_page);
15563 diff -urNp linux-2.6.32.43/arch/x86/kernel/microcode_amd.c linux-2.6.32.43/arch/x86/kernel/microcode_amd.c
15564 --- linux-2.6.32.43/arch/x86/kernel/microcode_amd.c 2011-04-17 17:00:52.000000000 -0400
15565 +++ linux-2.6.32.43/arch/x86/kernel/microcode_amd.c 2011-04-17 17:03:05.000000000 -0400
15566 @@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
15570 -static struct microcode_ops microcode_amd_ops = {
15571 +static const struct microcode_ops microcode_amd_ops = {
15572 .request_microcode_user = request_microcode_user,
15573 .request_microcode_fw = request_microcode_fw,
15574 .collect_cpu_info = collect_cpu_info_amd,
15575 @@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
15576 .microcode_fini_cpu = microcode_fini_cpu_amd,
15579 -struct microcode_ops * __init init_amd_microcode(void)
15580 +const struct microcode_ops * __init init_amd_microcode(void)
15582 return µcode_amd_ops;
15584 diff -urNp linux-2.6.32.43/arch/x86/kernel/microcode_core.c linux-2.6.32.43/arch/x86/kernel/microcode_core.c
15585 --- linux-2.6.32.43/arch/x86/kernel/microcode_core.c 2011-03-27 14:31:47.000000000 -0400
15586 +++ linux-2.6.32.43/arch/x86/kernel/microcode_core.c 2011-04-17 15:56:46.000000000 -0400
15587 @@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
15589 #define MICROCODE_VERSION "2.00"
15591 -static struct microcode_ops *microcode_ops;
15592 +static const struct microcode_ops *microcode_ops;
15596 diff -urNp linux-2.6.32.43/arch/x86/kernel/microcode_intel.c linux-2.6.32.43/arch/x86/kernel/microcode_intel.c
15597 --- linux-2.6.32.43/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400
15598 +++ linux-2.6.32.43/arch/x86/kernel/microcode_intel.c 2011-04-17 15:56:46.000000000 -0400
15599 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod
15601 static int get_ucode_user(void *to, const void *from, size_t n)
15603 - return copy_from_user(to, from, n);
15604 + return copy_from_user(to, (__force const void __user *)from, n);
15607 static enum ucode_state
15608 request_microcode_user(int cpu, const void __user *buf, size_t size)
15610 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
15611 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
15614 static void microcode_fini_cpu(int cpu)
15615 @@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
15619 -static struct microcode_ops microcode_intel_ops = {
15620 +static const struct microcode_ops microcode_intel_ops = {
15621 .request_microcode_user = request_microcode_user,
15622 .request_microcode_fw = request_microcode_fw,
15623 .collect_cpu_info = collect_cpu_info,
15624 @@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
15625 .microcode_fini_cpu = microcode_fini_cpu,
15628 -struct microcode_ops * __init init_intel_microcode(void)
15629 +const struct microcode_ops * __init init_intel_microcode(void)
15631 return µcode_intel_ops;
15633 diff -urNp linux-2.6.32.43/arch/x86/kernel/module.c linux-2.6.32.43/arch/x86/kernel/module.c
15634 --- linux-2.6.32.43/arch/x86/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
15635 +++ linux-2.6.32.43/arch/x86/kernel/module.c 2011-04-17 15:56:46.000000000 -0400
15637 #define DEBUGP(fmt...)
15640 -void *module_alloc(unsigned long size)
15641 +static void *__module_alloc(unsigned long size, pgprot_t prot)
15643 struct vm_struct *area;
15645 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
15649 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
15650 - PAGE_KERNEL_EXEC);
15651 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
15654 +void *module_alloc(unsigned long size)
15657 +#ifdef CONFIG_PAX_KERNEXEC
15658 + return __module_alloc(size, PAGE_KERNEL);
15660 + return __module_alloc(size, PAGE_KERNEL_EXEC);
15665 /* Free memory returned from module_alloc */
15666 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
15667 vfree(module_region);
15670 +#ifdef CONFIG_PAX_KERNEXEC
15671 +#ifdef CONFIG_X86_32
15672 +void *module_alloc_exec(unsigned long size)
15674 + struct vm_struct *area;
15679 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
15680 + return area ? area->addr : NULL;
15682 +EXPORT_SYMBOL(module_alloc_exec);
15684 +void module_free_exec(struct module *mod, void *module_region)
15686 + vunmap(module_region);
15688 +EXPORT_SYMBOL(module_free_exec);
15690 +void module_free_exec(struct module *mod, void *module_region)
15692 + module_free(mod, module_region);
15694 +EXPORT_SYMBOL(module_free_exec);
15696 +void *module_alloc_exec(unsigned long size)
15698 + return __module_alloc(size, PAGE_KERNEL_RX);
15700 +EXPORT_SYMBOL(module_alloc_exec);
15704 /* We don't need anything special. */
15705 int module_frob_arch_sections(Elf_Ehdr *hdr,
15707 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15709 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
15711 - uint32_t *location;
15712 + uint32_t *plocation, location;
15714 DEBUGP("Applying relocate section %u to %u\n", relsec,
15715 sechdrs[relsec].sh_info);
15716 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
15717 /* This is where to make the change */
15718 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
15719 - + rel[i].r_offset;
15720 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
15721 + location = (uint32_t)plocation;
15722 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
15723 + plocation = ktla_ktva((void *)plocation);
15724 /* This is the symbol it is referring to. Note that all
15725 undefined symbols have been resolved. */
15726 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
15727 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15728 switch (ELF32_R_TYPE(rel[i].r_info)) {
15730 /* We add the value into the location given */
15731 - *location += sym->st_value;
15732 + pax_open_kernel();
15733 + *plocation += sym->st_value;
15734 + pax_close_kernel();
15737 /* Add the value, subtract its postition */
15738 - *location += sym->st_value - (uint32_t)location;
15739 + pax_open_kernel();
15740 + *plocation += sym->st_value - location;
15741 + pax_close_kernel();
15744 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
15745 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
15746 case R_X86_64_NONE:
15749 + pax_open_kernel();
15751 + pax_close_kernel();
15754 + pax_open_kernel();
15756 + pax_close_kernel();
15757 if (val != *(u32 *)loc)
15761 + pax_open_kernel();
15763 + pax_close_kernel();
15764 if ((s64)val != *(s32 *)loc)
15767 case R_X86_64_PC32:
15769 + pax_open_kernel();
15771 + pax_close_kernel();
15774 if ((s64)val != *(s32 *)loc)
15776 diff -urNp linux-2.6.32.43/arch/x86/kernel/paravirt.c linux-2.6.32.43/arch/x86/kernel/paravirt.c
15777 --- linux-2.6.32.43/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.000000000 -0400
15778 +++ linux-2.6.32.43/arch/x86/kernel/paravirt.c 2011-08-05 20:33:55.000000000 -0400
15779 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
15783 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
15784 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
15787 void __init default_banner(void)
15789 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
15790 * corresponding structure. */
15791 static void *get_call_destination(u8 type)
15793 - struct paravirt_patch_template tmpl = {
15794 + const struct paravirt_patch_template tmpl = {
15795 .pv_init_ops = pv_init_ops,
15796 .pv_time_ops = pv_time_ops,
15797 .pv_cpu_ops = pv_cpu_ops,
15798 @@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
15799 .pv_lock_ops = pv_lock_ops,
15803 + pax_track_stack();
15804 return *((void **)&tmpl + type);
15807 @@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
15808 if (opfunc == NULL)
15809 /* If there's no function, patch it with a ud2a (BUG) */
15810 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
15811 - else if (opfunc == _paravirt_nop)
15812 + else if (opfunc == (void *)_paravirt_nop)
15813 /* If the operation is a nop, then nop the callsite */
15814 ret = paravirt_patch_nop();
15816 /* identity functions just return their single argument */
15817 - else if (opfunc == _paravirt_ident_32)
15818 + else if (opfunc == (void *)_paravirt_ident_32)
15819 ret = paravirt_patch_ident_32(insnbuf, len);
15820 - else if (opfunc == _paravirt_ident_64)
15821 + else if (opfunc == (void *)_paravirt_ident_64)
15822 + ret = paravirt_patch_ident_64(insnbuf, len);
15823 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
15824 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
15825 ret = paravirt_patch_ident_64(insnbuf, len);
15828 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
15829 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
15830 @@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
15831 if (insn_len > len || start == NULL)
15834 - memcpy(insnbuf, start, insn_len);
15835 + memcpy(insnbuf, ktla_ktva(start), insn_len);
15839 @@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
15843 -struct pv_info pv_info = {
15844 +struct pv_info pv_info __read_only = {
15845 .name = "bare hardware",
15846 .paravirt_enabled = 0,
15848 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
15851 -struct pv_init_ops pv_init_ops = {
15852 +struct pv_init_ops pv_init_ops __read_only = {
15853 .patch = native_patch,
15856 -struct pv_time_ops pv_time_ops = {
15857 +struct pv_time_ops pv_time_ops __read_only = {
15858 .sched_clock = native_sched_clock,
15861 -struct pv_irq_ops pv_irq_ops = {
15862 +struct pv_irq_ops pv_irq_ops __read_only = {
15863 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
15864 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
15865 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
15866 @@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
15870 -struct pv_cpu_ops pv_cpu_ops = {
15871 +struct pv_cpu_ops pv_cpu_ops __read_only = {
15872 .cpuid = native_cpuid,
15873 .get_debugreg = native_get_debugreg,
15874 .set_debugreg = native_set_debugreg,
15875 @@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
15876 .end_context_switch = paravirt_nop,
15879 -struct pv_apic_ops pv_apic_ops = {
15880 +struct pv_apic_ops pv_apic_ops __read_only = {
15881 #ifdef CONFIG_X86_LOCAL_APIC
15882 .startup_ipi_hook = paravirt_nop,
15886 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
15887 +#ifdef CONFIG_X86_32
15888 +#ifdef CONFIG_X86_PAE
15889 +/* 64-bit pagetable entries */
15890 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
15892 /* 32-bit pagetable entries */
15893 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
15896 /* 64-bit pagetable entries */
15897 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
15900 -struct pv_mmu_ops pv_mmu_ops = {
15901 +struct pv_mmu_ops pv_mmu_ops __read_only = {
15903 .read_cr2 = native_read_cr2,
15904 .write_cr2 = native_write_cr2,
15905 @@ -467,6 +481,12 @@ struct pv_mmu_ops pv_mmu_ops = {
15908 .set_fixmap = native_set_fixmap,
15910 +#ifdef CONFIG_PAX_KERNEXEC
15911 + .pax_open_kernel = native_pax_open_kernel,
15912 + .pax_close_kernel = native_pax_close_kernel,
15917 EXPORT_SYMBOL_GPL(pv_time_ops);
15918 diff -urNp linux-2.6.32.43/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.43/arch/x86/kernel/paravirt-spinlocks.c
15919 --- linux-2.6.32.43/arch/x86/kernel/paravirt-spinlocks.c 2011-03-27 14:31:47.000000000 -0400
15920 +++ linux-2.6.32.43/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:56:46.000000000 -0400
15921 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
15922 __raw_spin_lock(lock);
15925 -struct pv_lock_ops pv_lock_ops = {
15926 +struct pv_lock_ops pv_lock_ops __read_only = {
15928 .spin_is_locked = __ticket_spin_is_locked,
15929 .spin_is_contended = __ticket_spin_is_contended,
15930 diff -urNp linux-2.6.32.43/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.43/arch/x86/kernel/pci-calgary_64.c
15931 --- linux-2.6.32.43/arch/x86/kernel/pci-calgary_64.c 2011-03-27 14:31:47.000000000 -0400
15932 +++ linux-2.6.32.43/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:56:46.000000000 -0400
15933 @@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
15934 free_pages((unsigned long)vaddr, get_order(size));
15937 -static struct dma_map_ops calgary_dma_ops = {
15938 +static const struct dma_map_ops calgary_dma_ops = {
15939 .alloc_coherent = calgary_alloc_coherent,
15940 .free_coherent = calgary_free_coherent,
15941 .map_sg = calgary_map_sg,
15942 diff -urNp linux-2.6.32.43/arch/x86/kernel/pci-dma.c linux-2.6.32.43/arch/x86/kernel/pci-dma.c
15943 --- linux-2.6.32.43/arch/x86/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
15944 +++ linux-2.6.32.43/arch/x86/kernel/pci-dma.c 2011-04-17 15:56:46.000000000 -0400
15947 static int forbid_dac __read_mostly;
15949 -struct dma_map_ops *dma_ops;
15950 +const struct dma_map_ops *dma_ops;
15951 EXPORT_SYMBOL(dma_ops);
15953 static int iommu_sac_force __read_mostly;
15954 @@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
15956 int dma_supported(struct device *dev, u64 mask)
15958 - struct dma_map_ops *ops = get_dma_ops(dev);
15959 + const struct dma_map_ops *ops = get_dma_ops(dev);
15962 if (mask > 0xffffffff && forbid_dac > 0) {
15963 diff -urNp linux-2.6.32.43/arch/x86/kernel/pci-gart_64.c linux-2.6.32.43/arch/x86/kernel/pci-gart_64.c
15964 --- linux-2.6.32.43/arch/x86/kernel/pci-gart_64.c 2011-03-27 14:31:47.000000000 -0400
15965 +++ linux-2.6.32.43/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:56:46.000000000 -0400
15966 @@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
15970 -static struct dma_map_ops gart_dma_ops = {
15971 +static const struct dma_map_ops gart_dma_ops = {
15972 .map_sg = gart_map_sg,
15973 .unmap_sg = gart_unmap_sg,
15974 .map_page = gart_map_page,
15975 diff -urNp linux-2.6.32.43/arch/x86/kernel/pci-nommu.c linux-2.6.32.43/arch/x86/kernel/pci-nommu.c
15976 --- linux-2.6.32.43/arch/x86/kernel/pci-nommu.c 2011-03-27 14:31:47.000000000 -0400
15977 +++ linux-2.6.32.43/arch/x86/kernel/pci-nommu.c 2011-04-17 15:56:46.000000000 -0400
15978 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
15979 flush_write_buffers();
15982 -struct dma_map_ops nommu_dma_ops = {
15983 +const struct dma_map_ops nommu_dma_ops = {
15984 .alloc_coherent = dma_generic_alloc_coherent,
15985 .free_coherent = nommu_free_coherent,
15986 .map_sg = nommu_map_sg,
15987 diff -urNp linux-2.6.32.43/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.43/arch/x86/kernel/pci-swiotlb.c
15988 --- linux-2.6.32.43/arch/x86/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
15989 +++ linux-2.6.32.43/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:56:46.000000000 -0400
15990 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
15991 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
15994 -static struct dma_map_ops swiotlb_dma_ops = {
15995 +static const struct dma_map_ops swiotlb_dma_ops = {
15996 .mapping_error = swiotlb_dma_mapping_error,
15997 .alloc_coherent = x86_swiotlb_alloc_coherent,
15998 .free_coherent = swiotlb_free_coherent,
15999 diff -urNp linux-2.6.32.43/arch/x86/kernel/process_32.c linux-2.6.32.43/arch/x86/kernel/process_32.c
16000 --- linux-2.6.32.43/arch/x86/kernel/process_32.c 2011-06-25 12:55:34.000000000 -0400
16001 +++ linux-2.6.32.43/arch/x86/kernel/process_32.c 2011-06-25 12:56:37.000000000 -0400
16002 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
16003 unsigned long thread_saved_pc(struct task_struct *tsk)
16005 return ((unsigned long *)tsk->thread.sp)[3];
16006 +//XXX return tsk->thread.eip;
16010 @@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
16011 unsigned short ss, gs;
16014 - if (user_mode_vm(regs)) {
16015 + if (user_mode(regs)) {
16017 ss = regs->ss & 0xffff;
16018 - gs = get_user_gs(regs);
16020 sp = (unsigned long) (®s->sp);
16021 savesegment(ss, ss);
16022 - savesegment(gs, gs);
16024 + gs = get_user_gs(regs);
16028 @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
16029 regs.bx = (unsigned long) fn;
16030 regs.dx = (unsigned long) arg;
16032 - regs.ds = __USER_DS;
16033 - regs.es = __USER_DS;
16034 + regs.ds = __KERNEL_DS;
16035 + regs.es = __KERNEL_DS;
16036 regs.fs = __KERNEL_PERCPU;
16037 - regs.gs = __KERNEL_STACK_CANARY;
16038 + savesegment(gs, regs.gs);
16040 regs.ip = (unsigned long) kernel_thread_helper;
16041 regs.cs = __KERNEL_CS | get_kernel_rpl();
16042 @@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
16043 struct task_struct *tsk;
16046 - childregs = task_pt_regs(p);
16047 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16048 *childregs = *regs;
16050 childregs->sp = sp;
16052 p->thread.sp = (unsigned long) childregs;
16053 p->thread.sp0 = (unsigned long) (childregs+1);
16054 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16056 p->thread.ip = (unsigned long) ret_from_fork;
16058 @@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
16059 struct thread_struct *prev = &prev_p->thread,
16060 *next = &next_p->thread;
16061 int cpu = smp_processor_id();
16062 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16063 + struct tss_struct *tss = init_tss + cpu;
16066 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16067 @@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
16069 lazy_save_gs(prev->gs);
16071 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16072 + __set_fs(task_thread_info(next_p)->addr_limit);
16076 * Load the per-thread Thread-Local Storage descriptor.
16078 @@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
16080 arch_end_context_switch(next_p);
16082 + percpu_write(current_task, next_p);
16083 + percpu_write(current_tinfo, &next_p->tinfo);
16086 __math_state_restore();
16088 @@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
16089 if (prev->gs | next->gs)
16090 lazy_load_gs(next->gs);
16092 - percpu_write(current_task, next_p);
16097 @@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
16098 } while (count++ < 16);
16102 diff -urNp linux-2.6.32.43/arch/x86/kernel/process_64.c linux-2.6.32.43/arch/x86/kernel/process_64.c
16103 --- linux-2.6.32.43/arch/x86/kernel/process_64.c 2011-06-25 12:55:34.000000000 -0400
16104 +++ linux-2.6.32.43/arch/x86/kernel/process_64.c 2011-06-25 12:56:37.000000000 -0400
16105 @@ -91,7 +91,7 @@ static void __exit_idle(void)
16106 void exit_idle(void)
16108 /* idle loop has pid 0 */
16109 - if (current->pid)
16110 + if (task_pid_nr(current))
16114 @@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
16117 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
16118 - current->pid, current->comm, print_tainted(),
16119 + task_pid_nr(current), current->comm, print_tainted(),
16120 init_utsname()->release,
16121 (int)strcspn(init_utsname()->version, " "),
16122 init_utsname()->version, board);
16123 @@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
16124 struct pt_regs *childregs;
16125 struct task_struct *me = current;
16127 - childregs = ((struct pt_regs *)
16128 - (THREAD_SIZE + task_stack_page(p))) - 1;
16129 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16130 *childregs = *regs;
16133 @@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
16134 p->thread.sp = (unsigned long) childregs;
16135 p->thread.sp0 = (unsigned long) (childregs+1);
16136 p->thread.usersp = me->thread.usersp;
16137 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16139 set_tsk_thread_flag(p, TIF_FORK);
16141 @@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
16142 struct thread_struct *prev = &prev_p->thread;
16143 struct thread_struct *next = &next_p->thread;
16144 int cpu = smp_processor_id();
16145 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16146 + struct tss_struct *tss = init_tss + cpu;
16147 unsigned fsindex, gsindex;
16150 @@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
16151 prev->usersp = percpu_read(old_rsp);
16152 percpu_write(old_rsp, next->usersp);
16153 percpu_write(current_task, next_p);
16154 + percpu_write(current_tinfo, &next_p->tinfo);
16156 - percpu_write(kernel_stack,
16157 - (unsigned long)task_stack_page(next_p) +
16158 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16159 + percpu_write(kernel_stack, next->sp0);
16162 * Now maybe reload the debug registers and handle I/O bitmaps
16163 @@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
16164 if (!p || p == current || p->state == TASK_RUNNING)
16166 stack = (unsigned long)task_stack_page(p);
16167 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16168 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16170 fp = *(u64 *)(p->thread.sp);
16172 - if (fp < (unsigned long)stack ||
16173 - fp >= (unsigned long)stack+THREAD_SIZE)
16174 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16176 ip = *(u64 *)(fp+8);
16177 if (!in_sched_functions(ip))
16178 diff -urNp linux-2.6.32.43/arch/x86/kernel/process.c linux-2.6.32.43/arch/x86/kernel/process.c
16179 --- linux-2.6.32.43/arch/x86/kernel/process.c 2011-04-22 19:16:29.000000000 -0400
16180 +++ linux-2.6.32.43/arch/x86/kernel/process.c 2011-05-22 23:02:03.000000000 -0400
16181 @@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
16183 void free_thread_info(struct thread_info *ti)
16185 - free_thread_xstate(ti->task);
16186 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16189 +static struct kmem_cache *task_struct_cachep;
16191 void arch_task_cache_init(void)
16193 - task_xstate_cachep =
16194 - kmem_cache_create("task_xstate", xstate_size,
16195 + /* create a slab on which task_structs can be allocated */
16196 + task_struct_cachep =
16197 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16198 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16200 + task_xstate_cachep =
16201 + kmem_cache_create("task_xstate", xstate_size,
16202 __alignof__(union thread_xstate),
16203 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16204 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16207 +struct task_struct *alloc_task_struct(void)
16209 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
16212 +void free_task_struct(struct task_struct *task)
16214 + free_thread_xstate(task);
16215 + kmem_cache_free(task_struct_cachep, task);
16219 @@ -73,7 +90,7 @@ void exit_thread(void)
16220 unsigned long *bp = t->io_bitmap_ptr;
16223 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16224 + struct tss_struct *tss = init_tss + get_cpu();
16226 t->io_bitmap_ptr = NULL;
16227 clear_thread_flag(TIF_IO_BITMAP);
16228 @@ -93,6 +110,9 @@ void flush_thread(void)
16230 clear_tsk_thread_flag(tsk, TIF_DEBUG);
16232 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16233 + loadsegment(gs, 0);
16235 tsk->thread.debugreg0 = 0;
16236 tsk->thread.debugreg1 = 0;
16237 tsk->thread.debugreg2 = 0;
16238 @@ -307,7 +327,7 @@ void default_idle(void)
16239 EXPORT_SYMBOL(default_idle);
16242 -void stop_this_cpu(void *dummy)
16243 +__noreturn void stop_this_cpu(void *dummy)
16245 local_irq_disable();
16247 @@ -568,16 +588,35 @@ static int __init idle_setup(char *str)
16249 early_param("idle", idle_setup);
16251 -unsigned long arch_align_stack(unsigned long sp)
16252 +#ifdef CONFIG_PAX_RANDKSTACK
16253 +asmlinkage void pax_randomize_kstack(void)
16255 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
16256 - sp -= get_random_int() % 8192;
16257 - return sp & ~0xf;
16259 + struct thread_struct *thread = ¤t->thread;
16260 + unsigned long time;
16262 -unsigned long arch_randomize_brk(struct mm_struct *mm)
16264 - unsigned long range_end = mm->brk + 0x02000000;
16265 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
16266 + if (!randomize_va_space)
16271 + /* P4 seems to return a 0 LSB, ignore it */
16272 +#ifdef CONFIG_MPENTIUM4
16275 +#elif defined(CONFIG_X86_64)
16283 + thread->sp0 ^= time;
16284 + load_sp0(init_tss + smp_processor_id(), thread);
16286 +#ifdef CONFIG_X86_64
16287 + percpu_write(kernel_stack, thread->sp0);
16292 diff -urNp linux-2.6.32.43/arch/x86/kernel/ptrace.c linux-2.6.32.43/arch/x86/kernel/ptrace.c
16293 --- linux-2.6.32.43/arch/x86/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
16294 +++ linux-2.6.32.43/arch/x86/kernel/ptrace.c 2011-04-17 15:56:46.000000000 -0400
16295 @@ -925,7 +925,7 @@ static const struct user_regset_view use
16296 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
16299 - unsigned long __user *datap = (unsigned long __user *)data;
16300 + unsigned long __user *datap = (__force unsigned long __user *)data;
16303 /* read the word at location addr in the USER area. */
16304 @@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
16307 ret = do_get_thread_area(child, addr,
16308 - (struct user_desc __user *) data);
16309 + (__force struct user_desc __user *) data);
16312 case PTRACE_SET_THREAD_AREA:
16315 ret = do_set_thread_area(child, addr,
16316 - (struct user_desc __user *) data, 0);
16317 + (__force struct user_desc __user *) data, 0);
16321 @@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
16322 #ifdef CONFIG_X86_PTRACE_BTS
16323 case PTRACE_BTS_CONFIG:
16324 ret = ptrace_bts_config
16325 - (child, data, (struct ptrace_bts_config __user *)addr);
16326 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16329 case PTRACE_BTS_STATUS:
16330 ret = ptrace_bts_status
16331 - (child, data, (struct ptrace_bts_config __user *)addr);
16332 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16335 case PTRACE_BTS_SIZE:
16336 @@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
16338 case PTRACE_BTS_GET:
16339 ret = ptrace_bts_read_record
16340 - (child, data, (struct bts_struct __user *) addr);
16341 + (child, data, (__force struct bts_struct __user *) addr);
16344 case PTRACE_BTS_CLEAR:
16345 @@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
16347 case PTRACE_BTS_DRAIN:
16348 ret = ptrace_bts_drain
16349 - (child, data, (struct bts_struct __user *) addr);
16350 + (child, data, (__force struct bts_struct __user *) addr);
16352 #endif /* CONFIG_X86_PTRACE_BTS */
16354 @@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
16355 info.si_code = si_code;
16357 /* User-mode ip? */
16358 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
16359 + info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
16361 /* Send us the fake SIGTRAP */
16362 force_sig_info(SIGTRAP, &info, tsk);
16363 @@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
16364 * We must return the syscall number to actually look up in the table.
16365 * This can be -1L to skip running any syscall at all.
16367 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
16368 +long syscall_trace_enter(struct pt_regs *regs)
16372 @@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
16373 return ret ?: regs->orig_ax;
16376 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
16377 +void syscall_trace_leave(struct pt_regs *regs)
16379 if (unlikely(current->audit_context))
16380 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
16381 diff -urNp linux-2.6.32.43/arch/x86/kernel/reboot.c linux-2.6.32.43/arch/x86/kernel/reboot.c
16382 --- linux-2.6.32.43/arch/x86/kernel/reboot.c 2011-03-27 14:31:47.000000000 -0400
16383 +++ linux-2.6.32.43/arch/x86/kernel/reboot.c 2011-05-22 23:02:03.000000000 -0400
16384 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
16385 EXPORT_SYMBOL(pm_power_off);
16387 static const struct desc_ptr no_idt = {};
16388 -static int reboot_mode;
16389 +static unsigned short reboot_mode;
16390 enum reboot_type reboot_type = BOOT_KBD;
16393 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
16394 controller to pulse the CPU reset line, which is more thorough, but
16395 doesn't work with at least one type of 486 motherboard. It is easy
16396 to stop this code working; hence the copious comments. */
16397 -static const unsigned long long
16398 -real_mode_gdt_entries [3] =
16399 +static struct desc_struct
16400 +real_mode_gdt_entries [3] __read_only =
16402 - 0x0000000000000000ULL, /* Null descriptor */
16403 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
16404 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
16405 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
16406 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
16407 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
16410 static const struct desc_ptr
16411 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
16412 * specified by the code and length parameters.
16413 * We assume that length will aways be less that 100!
16415 -void machine_real_restart(const unsigned char *code, int length)
16416 +__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
16418 local_irq_disable();
16420 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
16421 /* Remap the kernel at virtual address zero, as well as offset zero
16422 from the kernel segment. This assumes the kernel segment starts at
16423 virtual address PAGE_OFFSET. */
16424 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16425 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
16426 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16427 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
16430 * Use `swapper_pg_dir' as our page directory.
16431 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
16432 boot)". This seems like a fairly standard thing that gets set by
16433 REBOOT.COM programs, and the previous reset routine did this
16435 - *((unsigned short *)0x472) = reboot_mode;
16436 + *(unsigned short *)(__va(0x472)) = reboot_mode;
16438 /* For the switch to real mode, copy some code to low memory. It has
16439 to be in the first 64k because it is running in 16-bit mode, and it
16440 has to have the same physical and virtual address, because it turns
16441 off paging. Copy it near the end of the first page, out of the way
16442 of BIOS variables. */
16443 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
16444 - real_mode_switch, sizeof (real_mode_switch));
16445 - memcpy((void *)(0x1000 - 100), code, length);
16446 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
16447 + memcpy(__va(0x1000 - 100), code, length);
16449 /* Set up the IDT for real mode. */
16450 load_idt(&real_mode_idt);
16451 @@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
16452 __asm__ __volatile__ ("ljmp $0x0008,%0"
16454 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
16455 + do { } while (1);
16457 #ifdef CONFIG_APM_MODULE
16458 EXPORT_SYMBOL(machine_real_restart);
16459 @@ -536,7 +536,7 @@ void __attribute__((weak)) mach_reboot_f
16463 -static void native_machine_emergency_restart(void)
16464 +__noreturn static void native_machine_emergency_restart(void)
16468 @@ -651,13 +651,13 @@ void native_machine_shutdown(void)
16472 -static void __machine_emergency_restart(int emergency)
16473 +static __noreturn void __machine_emergency_restart(int emergency)
16475 reboot_emergency = emergency;
16476 machine_ops.emergency_restart();
16479 -static void native_machine_restart(char *__unused)
16480 +static __noreturn void native_machine_restart(char *__unused)
16482 printk("machine restart\n");
16484 @@ -666,7 +666,7 @@ static void native_machine_restart(char
16485 __machine_emergency_restart(0);
16488 -static void native_machine_halt(void)
16489 +static __noreturn void native_machine_halt(void)
16491 /* stop other cpus and apics */
16492 machine_shutdown();
16493 @@ -677,7 +677,7 @@ static void native_machine_halt(void)
16494 stop_this_cpu(NULL);
16497 -static void native_machine_power_off(void)
16498 +__noreturn static void native_machine_power_off(void)
16500 if (pm_power_off) {
16502 @@ -686,6 +686,7 @@ static void native_machine_power_off(voi
16504 /* a fallback in case there is no PM info available */
16505 tboot_shutdown(TB_SHUTDOWN_HALT);
16506 + do { } while (1);
16509 struct machine_ops machine_ops = {
16510 diff -urNp linux-2.6.32.43/arch/x86/kernel/setup.c linux-2.6.32.43/arch/x86/kernel/setup.c
16511 --- linux-2.6.32.43/arch/x86/kernel/setup.c 2011-04-17 17:00:52.000000000 -0400
16512 +++ linux-2.6.32.43/arch/x86/kernel/setup.c 2011-04-17 17:03:05.000000000 -0400
16513 @@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
16515 if (!boot_params.hdr.root_flags)
16516 root_mountflags &= ~MS_RDONLY;
16517 - init_mm.start_code = (unsigned long) _text;
16518 - init_mm.end_code = (unsigned long) _etext;
16519 + init_mm.start_code = ktla_ktva((unsigned long) _text);
16520 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
16521 init_mm.end_data = (unsigned long) _edata;
16522 init_mm.brk = _brk_end;
16524 - code_resource.start = virt_to_phys(_text);
16525 - code_resource.end = virt_to_phys(_etext)-1;
16526 - data_resource.start = virt_to_phys(_etext);
16527 + code_resource.start = virt_to_phys(ktla_ktva(_text));
16528 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
16529 + data_resource.start = virt_to_phys(_sdata);
16530 data_resource.end = virt_to_phys(_edata)-1;
16531 bss_resource.start = virt_to_phys(&__bss_start);
16532 bss_resource.end = virt_to_phys(&__bss_stop)-1;
16533 diff -urNp linux-2.6.32.43/arch/x86/kernel/setup_percpu.c linux-2.6.32.43/arch/x86/kernel/setup_percpu.c
16534 --- linux-2.6.32.43/arch/x86/kernel/setup_percpu.c 2011-03-27 14:31:47.000000000 -0400
16535 +++ linux-2.6.32.43/arch/x86/kernel/setup_percpu.c 2011-06-04 20:36:29.000000000 -0400
16536 @@ -25,19 +25,17 @@
16540 -DEFINE_PER_CPU(int, cpu_number);
16542 +DEFINE_PER_CPU(unsigned int, cpu_number);
16543 EXPORT_PER_CPU_SYMBOL(cpu_number);
16546 -#ifdef CONFIG_X86_64
16547 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
16549 -#define BOOT_PERCPU_OFFSET 0
16552 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
16553 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
16555 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
16556 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
16557 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
16559 EXPORT_SYMBOL(__per_cpu_offset);
16560 @@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
16562 #ifdef CONFIG_X86_32
16563 struct desc_struct gdt;
16564 + unsigned long base = per_cpu_offset(cpu);
16566 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
16567 - 0x2 | DESCTYPE_S, 0x8);
16569 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
16570 + 0x83 | DESCTYPE_S, 0xC);
16571 write_gdt_entry(get_cpu_gdt_table(cpu),
16572 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
16574 @@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
16575 /* alrighty, percpu areas up and running */
16576 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
16577 for_each_possible_cpu(cpu) {
16578 +#ifdef CONFIG_CC_STACKPROTECTOR
16579 +#ifdef CONFIG_X86_32
16580 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
16583 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
16584 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
16585 per_cpu(cpu_number, cpu) = cpu;
16586 @@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
16587 early_per_cpu_map(x86_cpu_to_node_map, cpu);
16590 +#ifdef CONFIG_CC_STACKPROTECTOR
16591 +#ifdef CONFIG_X86_32
16593 + per_cpu(stack_canary.canary, cpu) = canary;
16597 * Up to this point, the boot CPU has been using .data.init
16598 * area. Reload any changed state for the boot CPU.
16599 diff -urNp linux-2.6.32.43/arch/x86/kernel/signal.c linux-2.6.32.43/arch/x86/kernel/signal.c
16600 --- linux-2.6.32.43/arch/x86/kernel/signal.c 2011-03-27 14:31:47.000000000 -0400
16601 +++ linux-2.6.32.43/arch/x86/kernel/signal.c 2011-05-22 23:02:03.000000000 -0400
16602 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
16603 * Align the stack pointer according to the i386 ABI,
16604 * i.e. so that on function entry ((sp + 4) & 15) == 0.
16606 - sp = ((sp + 4) & -16ul) - 4;
16607 + sp = ((sp - 12) & -16ul) - 4;
16608 #else /* !CONFIG_X86_32 */
16609 sp = round_down(sp, 16) - 8;
16611 @@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
16612 * Return an always-bogus address instead so we will die with SIGSEGV.
16614 if (onsigstack && !likely(on_sig_stack(sp)))
16615 - return (void __user *)-1L;
16616 + return (__force void __user *)-1L;
16618 /* save i387 state */
16619 if (used_math() && save_i387_xstate(*fpstate) < 0)
16620 - return (void __user *)-1L;
16621 + return (__force void __user *)-1L;
16623 return (void __user *)sp;
16625 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
16628 if (current->mm->context.vdso)
16629 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16630 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16632 - restorer = &frame->retcode;
16633 + restorer = (void __user *)&frame->retcode;
16634 if (ka->sa.sa_flags & SA_RESTORER)
16635 restorer = ka->sa.sa_restorer;
16637 @@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
16638 * reasons and because gdb uses it as a signature to notice
16639 * signal handler stack frames.
16641 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
16642 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
16646 @@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
16647 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
16649 /* Set up to return from userspace. */
16650 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16651 + if (current->mm->context.vdso)
16652 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16654 + restorer = (void __user *)&frame->retcode;
16655 if (ka->sa.sa_flags & SA_RESTORER)
16656 restorer = ka->sa.sa_restorer;
16657 put_user_ex(restorer, &frame->pretcode);
16658 @@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
16659 * reasons and because gdb uses it as a signature to notice
16660 * signal handler stack frames.
16662 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
16663 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
16664 } put_user_catch(err);
16667 @@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
16671 + pax_track_stack();
16674 * We want the common case to go fast, which is why we may in certain
16675 * cases get here from kernel mode. Just return without doing anything
16676 @@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
16677 * X86_32: vm86 regs switched out by assembly code before reaching
16678 * here, so testing against kernel CS suffices.
16680 - if (!user_mode(regs))
16681 + if (!user_mode_novm(regs))
16684 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
16685 diff -urNp linux-2.6.32.43/arch/x86/kernel/smpboot.c linux-2.6.32.43/arch/x86/kernel/smpboot.c
16686 --- linux-2.6.32.43/arch/x86/kernel/smpboot.c 2011-03-27 14:31:47.000000000 -0400
16687 +++ linux-2.6.32.43/arch/x86/kernel/smpboot.c 2011-07-01 19:10:03.000000000 -0400
16688 @@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
16690 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
16692 -void cpu_hotplug_driver_lock()
16693 +void cpu_hotplug_driver_lock(void)
16695 - mutex_lock(&x86_cpu_hotplug_driver_mutex);
16696 + mutex_lock(&x86_cpu_hotplug_driver_mutex);
16699 -void cpu_hotplug_driver_unlock()
16700 +void cpu_hotplug_driver_unlock(void)
16702 - mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16703 + mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16706 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
16707 @@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
16708 * target processor state.
16710 startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
16711 - (unsigned long)stack_start.sp);
16715 * Run STARTUP IPI loop.
16716 @@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
16717 set_idle_for_cpu(cpu, c_idle.idle);
16719 per_cpu(current_task, cpu) = c_idle.idle;
16720 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
16721 #ifdef CONFIG_X86_32
16722 /* Stack for startup_32 can be just as for start_secondary onwards */
16724 @@ -750,13 +751,15 @@ do_rest:
16726 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
16727 initial_gs = per_cpu_offset(cpu);
16728 - per_cpu(kernel_stack, cpu) =
16729 - (unsigned long)task_stack_page(c_idle.idle) -
16730 - KERNEL_STACK_OFFSET + THREAD_SIZE;
16731 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
16734 + pax_open_kernel();
16735 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
16736 + pax_close_kernel();
16738 initial_code = (unsigned long)start_secondary;
16739 - stack_start.sp = (void *) c_idle.idle->thread.sp;
16740 + stack_start = c_idle.idle->thread.sp;
16742 /* start_ip had better be page-aligned! */
16743 start_ip = setup_trampoline();
16744 @@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
16746 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
16748 +#ifdef CONFIG_PAX_PER_CPU_PGD
16749 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
16750 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16751 + KERNEL_PGD_PTRS);
16754 err = do_boot_cpu(apicid, cpu);
16757 diff -urNp linux-2.6.32.43/arch/x86/kernel/step.c linux-2.6.32.43/arch/x86/kernel/step.c
16758 --- linux-2.6.32.43/arch/x86/kernel/step.c 2011-03-27 14:31:47.000000000 -0400
16759 +++ linux-2.6.32.43/arch/x86/kernel/step.c 2011-04-17 15:56:46.000000000 -0400
16760 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
16761 struct desc_struct *desc;
16762 unsigned long base;
16767 mutex_lock(&child->mm->context.lock);
16768 - if (unlikely((seg >> 3) >= child->mm->context.size))
16769 + if (unlikely(seg >= child->mm->context.size))
16770 addr = -1L; /* bogus selector, access would fault */
16772 desc = child->mm->context.ldt + seg;
16773 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
16776 mutex_unlock(&child->mm->context.lock);
16778 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
16779 + addr = ktla_ktva(addr);
16783 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
16784 unsigned char opcode[15];
16785 unsigned long addr = convert_ip_to_linear(child, regs);
16787 + if (addr == -EINVAL)
16790 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
16791 for (i = 0; i < copied; i++) {
16792 switch (opcode[i]) {
16793 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
16795 #ifdef CONFIG_X86_64
16796 case 0x40 ... 0x4f:
16797 - if (regs->cs != __USER_CS)
16798 + if ((regs->cs & 0xffff) != __USER_CS)
16799 /* 32-bit mode: register increment */
16801 /* 64-bit mode: REX prefix */
16802 diff -urNp linux-2.6.32.43/arch/x86/kernel/syscall_table_32.S linux-2.6.32.43/arch/x86/kernel/syscall_table_32.S
16803 --- linux-2.6.32.43/arch/x86/kernel/syscall_table_32.S 2011-03-27 14:31:47.000000000 -0400
16804 +++ linux-2.6.32.43/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:56:46.000000000 -0400
16806 +.section .rodata,"a",@progbits
16807 ENTRY(sys_call_table)
16808 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
16810 diff -urNp linux-2.6.32.43/arch/x86/kernel/sys_i386_32.c linux-2.6.32.43/arch/x86/kernel/sys_i386_32.c
16811 --- linux-2.6.32.43/arch/x86/kernel/sys_i386_32.c 2011-03-27 14:31:47.000000000 -0400
16812 +++ linux-2.6.32.43/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:56:46.000000000 -0400
16815 #include <asm/syscalls.h>
16817 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
16819 + unsigned long pax_task_size = TASK_SIZE;
16821 +#ifdef CONFIG_PAX_SEGMEXEC
16822 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
16823 + pax_task_size = SEGMEXEC_TASK_SIZE;
16826 + if (len > pax_task_size || addr > pax_task_size - len)
16833 * Perform the select(nd, in, out, ex, tv) and mmap() system
16834 * calls. Linux/i386 didn't use to be able to handle more than
16835 @@ -58,6 +73,212 @@ out:
16840 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
16841 + unsigned long len, unsigned long pgoff, unsigned long flags)
16843 + struct mm_struct *mm = current->mm;
16844 + struct vm_area_struct *vma;
16845 + unsigned long start_addr, pax_task_size = TASK_SIZE;
16847 +#ifdef CONFIG_PAX_SEGMEXEC
16848 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16849 + pax_task_size = SEGMEXEC_TASK_SIZE;
16852 + pax_task_size -= PAGE_SIZE;
16854 + if (len > pax_task_size)
16857 + if (flags & MAP_FIXED)
16860 +#ifdef CONFIG_PAX_RANDMMAP
16861 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16865 + addr = PAGE_ALIGN(addr);
16866 + if (pax_task_size - len >= addr) {
16867 + vma = find_vma(mm, addr);
16868 + if (check_heap_stack_gap(vma, addr, len))
16872 + if (len > mm->cached_hole_size) {
16873 + start_addr = addr = mm->free_area_cache;
16875 + start_addr = addr = mm->mmap_base;
16876 + mm->cached_hole_size = 0;
16879 +#ifdef CONFIG_PAX_PAGEEXEC
16880 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
16881 + start_addr = 0x00110000UL;
16883 +#ifdef CONFIG_PAX_RANDMMAP
16884 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16885 + start_addr += mm->delta_mmap & 0x03FFF000UL;
16888 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
16889 + start_addr = addr = mm->mmap_base;
16891 + addr = start_addr;
16896 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16897 + /* At this point: (!vma || addr < vma->vm_end). */
16898 + if (pax_task_size - len < addr) {
16900 + * Start a new search - just in case we missed
16903 + if (start_addr != mm->mmap_base) {
16904 + start_addr = addr = mm->mmap_base;
16905 + mm->cached_hole_size = 0;
16906 + goto full_search;
16910 + if (check_heap_stack_gap(vma, addr, len))
16912 + if (addr + mm->cached_hole_size < vma->vm_start)
16913 + mm->cached_hole_size = vma->vm_start - addr;
16914 + addr = vma->vm_end;
16915 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
16916 + start_addr = addr = mm->mmap_base;
16917 + mm->cached_hole_size = 0;
16918 + goto full_search;
16923 + * Remember the place where we stopped the search:
16925 + mm->free_area_cache = addr + len;
16930 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
16931 + const unsigned long len, const unsigned long pgoff,
16932 + const unsigned long flags)
16934 + struct vm_area_struct *vma;
16935 + struct mm_struct *mm = current->mm;
16936 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
16938 +#ifdef CONFIG_PAX_SEGMEXEC
16939 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16940 + pax_task_size = SEGMEXEC_TASK_SIZE;
16943 + pax_task_size -= PAGE_SIZE;
16945 + /* requested length too big for entire address space */
16946 + if (len > pax_task_size)
16949 + if (flags & MAP_FIXED)
16952 +#ifdef CONFIG_PAX_PAGEEXEC
16953 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
16957 +#ifdef CONFIG_PAX_RANDMMAP
16958 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16961 + /* requesting a specific address */
16963 + addr = PAGE_ALIGN(addr);
16964 + if (pax_task_size - len >= addr) {
16965 + vma = find_vma(mm, addr);
16966 + if (check_heap_stack_gap(vma, addr, len))
16971 + /* check if free_area_cache is useful for us */
16972 + if (len <= mm->cached_hole_size) {
16973 + mm->cached_hole_size = 0;
16974 + mm->free_area_cache = mm->mmap_base;
16977 + /* either no address requested or can't fit in requested address hole */
16978 + addr = mm->free_area_cache;
16980 + /* make sure it can fit in the remaining address space */
16981 + if (addr > len) {
16982 + vma = find_vma(mm, addr-len);
16983 + if (check_heap_stack_gap(vma, addr - len, len))
16984 + /* remember the address as a hint for next time */
16985 + return (mm->free_area_cache = addr-len);
16988 + if (mm->mmap_base < len)
16991 + addr = mm->mmap_base-len;
16995 + * Lookup failure means no vma is above this address,
16996 + * else if new region fits below vma->vm_start,
16997 + * return with success:
16999 + vma = find_vma(mm, addr);
17000 + if (check_heap_stack_gap(vma, addr, len))
17001 + /* remember the address as a hint for next time */
17002 + return (mm->free_area_cache = addr);
17004 + /* remember the largest hole we saw so far */
17005 + if (addr + mm->cached_hole_size < vma->vm_start)
17006 + mm->cached_hole_size = vma->vm_start - addr;
17008 + /* try just below the current vma->vm_start */
17009 + addr = skip_heap_stack_gap(vma, len);
17010 + } while (!IS_ERR_VALUE(addr));
17014 + * A failed mmap() very likely causes application failure,
17015 + * so fall back to the bottom-up function here. This scenario
17016 + * can happen with large stack limits and large mmap()
17020 +#ifdef CONFIG_PAX_SEGMEXEC
17021 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17022 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17026 + mm->mmap_base = TASK_UNMAPPED_BASE;
17028 +#ifdef CONFIG_PAX_RANDMMAP
17029 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17030 + mm->mmap_base += mm->delta_mmap;
17033 + mm->free_area_cache = mm->mmap_base;
17034 + mm->cached_hole_size = ~0UL;
17035 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17037 + * Restore the topdown base:
17039 + mm->mmap_base = base;
17040 + mm->free_area_cache = base;
17041 + mm->cached_hole_size = ~0UL;
17046 struct sel_arg_struct {
17048 @@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
17049 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
17051 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
17052 - (const struct timespec __user *)fifth);
17053 + (__force const struct timespec __user *)fifth);
17056 return sys_semget(first, second, third);
17057 @@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
17058 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
17061 - return put_user(raddr, (ulong __user *) third);
17062 + return put_user(raddr, (__force ulong __user *) third);
17064 case 1: /* iBCS2 emulator entry point */
17065 if (!segment_eq(get_fs(), get_ds()))
17066 @@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
17073 - * Do a system call from kernel instead of calling sys_execve so we
17074 - * end up with proper pt_regs.
17076 -int kernel_execve(const char *filename, char *const argv[], char *const envp[])
17079 - asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
17081 - : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
17084 diff -urNp linux-2.6.32.43/arch/x86/kernel/sys_x86_64.c linux-2.6.32.43/arch/x86/kernel/sys_x86_64.c
17085 --- linux-2.6.32.43/arch/x86/kernel/sys_x86_64.c 2011-03-27 14:31:47.000000000 -0400
17086 +++ linux-2.6.32.43/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:56:46.000000000 -0400
17087 @@ -32,8 +32,8 @@ out:
17091 -static void find_start_end(unsigned long flags, unsigned long *begin,
17092 - unsigned long *end)
17093 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17094 + unsigned long *begin, unsigned long *end)
17096 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17097 unsigned long new_begin;
17098 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17099 *begin = new_begin;
17102 - *begin = TASK_UNMAPPED_BASE;
17103 + *begin = mm->mmap_base;
17107 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17108 if (flags & MAP_FIXED)
17111 - find_start_end(flags, &begin, &end);
17112 + find_start_end(mm, flags, &begin, &end);
17117 +#ifdef CONFIG_PAX_RANDMMAP
17118 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17122 addr = PAGE_ALIGN(addr);
17123 vma = find_vma(mm, addr);
17124 - if (end - len >= addr &&
17125 - (!vma || addr + len <= vma->vm_start))
17126 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17129 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17130 @@ -106,7 +109,7 @@ full_search:
17134 - if (!vma || addr + len <= vma->vm_start) {
17135 + if (check_heap_stack_gap(vma, addr, len)) {
17137 * Remember the place where we stopped the search:
17139 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17141 struct vm_area_struct *vma;
17142 struct mm_struct *mm = current->mm;
17143 - unsigned long addr = addr0;
17144 + unsigned long base = mm->mmap_base, addr = addr0;
17146 /* requested length too big for entire address space */
17147 if (len > TASK_SIZE)
17148 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17149 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17152 +#ifdef CONFIG_PAX_RANDMMAP
17153 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17156 /* requesting a specific address */
17158 addr = PAGE_ALIGN(addr);
17159 - vma = find_vma(mm, addr);
17160 - if (TASK_SIZE - len >= addr &&
17161 - (!vma || addr + len <= vma->vm_start))
17163 + if (TASK_SIZE - len >= addr) {
17164 + vma = find_vma(mm, addr);
17165 + if (check_heap_stack_gap(vma, addr, len))
17170 /* check if free_area_cache is useful for us */
17171 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17172 /* make sure it can fit in the remaining address space */
17174 vma = find_vma(mm, addr-len);
17175 - if (!vma || addr <= vma->vm_start)
17176 + if (check_heap_stack_gap(vma, addr - len, len))
17177 /* remember the address as a hint for next time */
17178 return mm->free_area_cache = addr-len;
17180 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17181 * return with success:
17183 vma = find_vma(mm, addr);
17184 - if (!vma || addr+len <= vma->vm_start)
17185 + if (check_heap_stack_gap(vma, addr, len))
17186 /* remember the address as a hint for next time */
17187 return mm->free_area_cache = addr;
17189 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17190 mm->cached_hole_size = vma->vm_start - addr;
17192 /* try just below the current vma->vm_start */
17193 - addr = vma->vm_start-len;
17194 - } while (len < vma->vm_start);
17195 + addr = skip_heap_stack_gap(vma, len);
17196 + } while (!IS_ERR_VALUE(addr));
17200 @@ -198,13 +206,21 @@ bottomup:
17201 * can happen with large stack limits and large mmap()
17204 + mm->mmap_base = TASK_UNMAPPED_BASE;
17206 +#ifdef CONFIG_PAX_RANDMMAP
17207 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17208 + mm->mmap_base += mm->delta_mmap;
17211 + mm->free_area_cache = mm->mmap_base;
17212 mm->cached_hole_size = ~0UL;
17213 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17214 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17216 * Restore the topdown base:
17218 - mm->free_area_cache = mm->mmap_base;
17219 + mm->mmap_base = base;
17220 + mm->free_area_cache = base;
17221 mm->cached_hole_size = ~0UL;
17224 diff -urNp linux-2.6.32.43/arch/x86/kernel/tboot.c linux-2.6.32.43/arch/x86/kernel/tboot.c
17225 --- linux-2.6.32.43/arch/x86/kernel/tboot.c 2011-03-27 14:31:47.000000000 -0400
17226 +++ linux-2.6.32.43/arch/x86/kernel/tboot.c 2011-05-22 23:02:03.000000000 -0400
17227 @@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
17229 void tboot_shutdown(u32 shutdown_type)
17231 - void (*shutdown)(void);
17232 + void (* __noreturn shutdown)(void);
17234 if (!tboot_enabled())
17236 @@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
17238 switch_to_tboot_pt();
17240 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17241 + shutdown = (void *)tboot->shutdown_entry;
17244 /* should not reach here */
17245 @@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17246 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17249 -static atomic_t ap_wfs_count;
17250 +static atomic_unchecked_t ap_wfs_count;
17252 static int tboot_wait_for_aps(int num_aps)
17254 @@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
17258 - atomic_inc(&ap_wfs_count);
17259 + atomic_inc_unchecked(&ap_wfs_count);
17260 if (num_online_cpus() == 1)
17261 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17262 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17266 @@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
17268 tboot_create_trampoline();
17270 - atomic_set(&ap_wfs_count, 0);
17271 + atomic_set_unchecked(&ap_wfs_count, 0);
17272 register_hotcpu_notifier(&tboot_cpu_notifier);
17275 diff -urNp linux-2.6.32.43/arch/x86/kernel/time.c linux-2.6.32.43/arch/x86/kernel/time.c
17276 --- linux-2.6.32.43/arch/x86/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
17277 +++ linux-2.6.32.43/arch/x86/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
17278 @@ -26,17 +26,13 @@
17282 -#ifdef CONFIG_X86_64
17283 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17286 unsigned long profile_pc(struct pt_regs *regs)
17288 unsigned long pc = instruction_pointer(regs);
17290 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
17291 + if (!user_mode(regs) && in_lock_functions(pc)) {
17292 #ifdef CONFIG_FRAME_POINTER
17293 - return *(unsigned long *)(regs->bp + sizeof(long));
17294 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
17296 unsigned long *sp =
17297 (unsigned long *)kernel_stack_pointer(regs);
17298 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
17299 * or above a saved flags. Eflags has bits 22-31 zero,
17300 * kernel addresses don't.
17303 +#ifdef CONFIG_PAX_KERNEXEC
17304 + return ktla_ktva(sp[0]);
17316 diff -urNp linux-2.6.32.43/arch/x86/kernel/tls.c linux-2.6.32.43/arch/x86/kernel/tls.c
17317 --- linux-2.6.32.43/arch/x86/kernel/tls.c 2011-03-27 14:31:47.000000000 -0400
17318 +++ linux-2.6.32.43/arch/x86/kernel/tls.c 2011-04-17 15:56:46.000000000 -0400
17319 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
17320 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
17323 +#ifdef CONFIG_PAX_SEGMEXEC
17324 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
17328 set_tls_desc(p, idx, &info, 1);
17331 diff -urNp linux-2.6.32.43/arch/x86/kernel/trampoline_32.S linux-2.6.32.43/arch/x86/kernel/trampoline_32.S
17332 --- linux-2.6.32.43/arch/x86/kernel/trampoline_32.S 2011-03-27 14:31:47.000000000 -0400
17333 +++ linux-2.6.32.43/arch/x86/kernel/trampoline_32.S 2011-04-17 15:56:46.000000000 -0400
17335 #include <asm/segment.h>
17336 #include <asm/page_types.h>
17338 +#ifdef CONFIG_PAX_KERNEXEC
17341 +#define ta(X) ((X) - __PAGE_OFFSET)
17344 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
17347 @@ -60,7 +66,7 @@ r_base = .
17348 inc %ax # protected mode (PE) bit
17349 lmsw %ax # into protected mode
17350 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
17351 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
17352 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
17354 # These need to be in the same 64K segment as the above;
17355 # hence we don't use the boot_gdt_descr defined in head.S
17356 diff -urNp linux-2.6.32.43/arch/x86/kernel/trampoline_64.S linux-2.6.32.43/arch/x86/kernel/trampoline_64.S
17357 --- linux-2.6.32.43/arch/x86/kernel/trampoline_64.S 2011-03-27 14:31:47.000000000 -0400
17358 +++ linux-2.6.32.43/arch/x86/kernel/trampoline_64.S 2011-07-01 18:53:26.000000000 -0400
17359 @@ -91,7 +91,7 @@ startup_32:
17360 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
17363 - movl $X86_CR4_PAE, %eax
17364 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
17365 movl %eax, %cr4 # Enable PAE mode
17367 # Setup trampoline 4 level pagetables
17368 @@ -127,7 +127,7 @@ startup_64:
17372 -#include "verify_cpu_64.S"
17373 +#include "verify_cpu.S"
17375 # Careful these need to be in the same 64K segment as the above;
17377 @@ -138,7 +138,7 @@ tidt:
17378 # so the kernel can live anywhere
17381 - .short tgdt_end - tgdt # gdt limit
17382 + .short tgdt_end - tgdt - 1 # gdt limit
17383 .long tgdt - r_base
17385 .quad 0x00cf9b000000ffff # __KERNEL32_CS
17386 diff -urNp linux-2.6.32.43/arch/x86/kernel/traps.c linux-2.6.32.43/arch/x86/kernel/traps.c
17387 --- linux-2.6.32.43/arch/x86/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
17388 +++ linux-2.6.32.43/arch/x86/kernel/traps.c 2011-07-06 19:53:33.000000000 -0400
17389 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
17391 /* Do we ignore FPU interrupts ? */
17392 char ignore_fpu_irq;
17395 - * The IDT has to be page-aligned to simplify the Pentium
17396 - * F0 0F bug workaround.
17398 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
17401 DECLARE_BITMAP(used_vectors, NR_VECTORS);
17402 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
17404 die_if_kernel(const char *str, struct pt_regs *regs, long err)
17406 - if (!user_mode_vm(regs))
17407 + if (!user_mode(regs))
17408 die(str, regs, err);
17412 static void __kprobes
17413 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
17414 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
17415 long error_code, siginfo_t *info)
17417 struct task_struct *tsk = current;
17419 #ifdef CONFIG_X86_32
17420 - if (regs->flags & X86_VM_MASK) {
17421 + if (v8086_mode(regs)) {
17423 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
17424 * On nmi (interrupt 2), do_trap should not be called.
17425 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
17429 - if (!user_mode(regs))
17430 + if (!user_mode_novm(regs))
17433 #ifdef CONFIG_X86_32
17434 @@ -158,7 +152,7 @@ trap_signal:
17435 printk_ratelimit()) {
17437 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
17438 - tsk->comm, tsk->pid, str,
17439 + tsk->comm, task_pid_nr(tsk), str,
17440 regs->ip, regs->sp, error_code);
17441 print_vma_addr(" in ", regs->ip);
17443 @@ -175,8 +169,20 @@ kernel_trap:
17444 if (!fixup_exception(regs)) {
17445 tsk->thread.error_code = error_code;
17446 tsk->thread.trap_no = trapnr;
17448 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17449 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
17450 + str = "PAX: suspicious stack segment fault";
17453 die(str, regs, error_code);
17456 +#ifdef CONFIG_PAX_REFCOUNT
17458 + pax_report_refcount_overflow(regs);
17463 #ifdef CONFIG_X86_32
17464 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
17465 conditional_sti(regs);
17467 #ifdef CONFIG_X86_32
17468 - if (regs->flags & X86_VM_MASK)
17469 + if (v8086_mode(regs))
17474 - if (!user_mode(regs))
17475 + if (!user_mode_novm(regs))
17478 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17479 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
17480 + struct mm_struct *mm = tsk->mm;
17481 + unsigned long limit;
17483 + down_write(&mm->mmap_sem);
17484 + limit = mm->context.user_cs_limit;
17485 + if (limit < TASK_SIZE) {
17486 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
17487 + up_write(&mm->mmap_sem);
17490 + up_write(&mm->mmap_sem);
17494 tsk->thread.error_code = error_code;
17495 tsk->thread.trap_no = 13;
17497 @@ -305,6 +327,13 @@ gp_in_kernel:
17498 if (notify_die(DIE_GPF, "general protection fault", regs,
17499 error_code, 13, SIGSEGV) == NOTIFY_STOP)
17502 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17503 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
17504 + die("PAX: suspicious general protection fault", regs, error_code);
17508 die("general protection fault", regs, error_code);
17511 @@ -435,6 +464,17 @@ static notrace __kprobes void default_do
17512 dotraplinkage notrace __kprobes void
17513 do_nmi(struct pt_regs *regs, long error_code)
17516 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17517 + if (!user_mode(regs)) {
17518 + unsigned long cs = regs->cs & 0xFFFF;
17519 + unsigned long ip = ktva_ktla(regs->ip);
17521 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
17528 inc_irq_stat(__nmi_count);
17529 @@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
17532 #ifdef CONFIG_X86_32
17533 - if (regs->flags & X86_VM_MASK)
17534 + if (v8086_mode(regs))
17538 @@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
17539 * kernel space (but re-enable TF when returning to user mode).
17541 if (condition & DR_STEP) {
17542 - if (!user_mode(regs))
17543 + if (!user_mode_novm(regs))
17544 goto clear_TF_reenable;
17547 @@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
17548 * Handle strange cache flush from user space exception
17549 * in all other cases. This is undocumented behaviour.
17551 - if (regs->flags & X86_VM_MASK) {
17552 + if (v8086_mode(regs)) {
17553 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
17556 @@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
17557 void __math_state_restore(void)
17559 struct thread_info *thread = current_thread_info();
17560 - struct task_struct *tsk = thread->task;
17561 + struct task_struct *tsk = current;
17564 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
17565 @@ -825,8 +865,7 @@ void __math_state_restore(void)
17567 asmlinkage void math_state_restore(void)
17569 - struct thread_info *thread = current_thread_info();
17570 - struct task_struct *tsk = thread->task;
17571 + struct task_struct *tsk = current;
17573 if (!tsk_used_math(tsk)) {
17574 local_irq_enable();
17575 diff -urNp linux-2.6.32.43/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.43/arch/x86/kernel/verify_cpu_64.S
17576 --- linux-2.6.32.43/arch/x86/kernel/verify_cpu_64.S 2011-03-27 14:31:47.000000000 -0400
17577 +++ linux-2.6.32.43/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
17581 - * verify_cpu.S - Code for cpu long mode and SSE verification. This
17582 - * code has been borrowed from boot/setup.S and was introduced by
17585 - * Copyright (c) 2007 Andi Kleen (ak@suse.de)
17586 - * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
17587 - * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
17589 - * This source code is licensed under the GNU General Public License,
17590 - * Version 2. See the file COPYING for more details.
17592 - * This is a common code for verification whether CPU supports
17593 - * long mode and SSE or not. It is not called directly instead this
17594 - * file is included at various places and compiled in that context.
17595 - * Following are the current usage.
17597 - * This file is included by both 16bit and 32bit code.
17599 - * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
17600 - * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
17601 - * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
17602 - * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
17604 - * verify_cpu, returns the status of cpu check in register %eax.
17605 - * 0: Success 1: Failure
17607 - * The caller needs to check for the error code and take the action
17608 - * appropriately. Either display a message or halt.
17611 -#include <asm/cpufeature.h>
17614 - pushfl # Save caller passed flags
17615 - pushl $0 # Kill any dangerous flags
17618 - pushfl # standard way to check for cpuid
17621 - xorl $0x200000,%eax
17627 - jz verify_cpu_no_longmode # cpu has no cpuid
17629 - movl $0x0,%eax # See if cpuid 1 is implemented
17632 - jb verify_cpu_no_longmode # no cpuid 1
17635 - cmpl $0x68747541,%ebx # AuthenticAMD
17636 - jnz verify_cpu_noamd
17637 - cmpl $0x69746e65,%edx
17638 - jnz verify_cpu_noamd
17639 - cmpl $0x444d4163,%ecx
17640 - jnz verify_cpu_noamd
17641 - mov $1,%di # cpu is from AMD
17644 - movl $0x1,%eax # Does the cpu have what it takes
17646 - andl $REQUIRED_MASK0,%edx
17647 - xorl $REQUIRED_MASK0,%edx
17648 - jnz verify_cpu_no_longmode
17650 - movl $0x80000000,%eax # See if extended cpuid is implemented
17652 - cmpl $0x80000001,%eax
17653 - jb verify_cpu_no_longmode # no extended cpuid
17655 - movl $0x80000001,%eax # Does the cpu have what it takes
17657 - andl $REQUIRED_MASK1,%edx
17658 - xorl $REQUIRED_MASK1,%edx
17659 - jnz verify_cpu_no_longmode
17661 -verify_cpu_sse_test:
17664 - andl $SSE_MASK,%edx
17665 - cmpl $SSE_MASK,%edx
17666 - je verify_cpu_sse_ok
17668 - jz verify_cpu_no_longmode # only try to force SSE on AMD
17669 - movl $0xc0010015,%ecx # HWCR
17671 - btr $15,%eax # enable SSE
17673 - xor %di,%di # don't loop
17674 - jmp verify_cpu_sse_test # try again
17676 -verify_cpu_no_longmode:
17677 - popfl # Restore caller passed flags
17680 -verify_cpu_sse_ok:
17681 - popfl # Restore caller passed flags
17684 diff -urNp linux-2.6.32.43/arch/x86/kernel/verify_cpu.S linux-2.6.32.43/arch/x86/kernel/verify_cpu.S
17685 --- linux-2.6.32.43/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
17686 +++ linux-2.6.32.43/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:42.000000000 -0400
17690 + * verify_cpu.S - Code for cpu long mode and SSE verification. This
17691 + * code has been borrowed from boot/setup.S and was introduced by
17694 + * Copyright (c) 2007 Andi Kleen (ak@suse.de)
17695 + * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
17696 + * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
17697 + * Copyright (c) 2010 Kees Cook (kees.cook@canonical.com)
17699 + * This source code is licensed under the GNU General Public License,
17700 + * Version 2. See the file COPYING for more details.
17702 + * This is a common code for verification whether CPU supports
17703 + * long mode and SSE or not. It is not called directly instead this
17704 + * file is included at various places and compiled in that context.
17705 + * This file is expected to run in 32bit code. Currently:
17707 + * arch/x86/boot/compressed/head_64.S: Boot cpu verification
17708 + * arch/x86/kernel/trampoline_64.S: secondary processor verification
17709 + * arch/x86/kernel/head_32.S: processor startup
17710 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
17712 + * verify_cpu, returns the status of longmode and SSE in register %eax.
17713 + * 0: Success 1: Failure
17715 + * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
17717 + * The caller needs to check for the error code and take the action
17718 + * appropriately. Either display a message or halt.
17721 +#include <asm/cpufeature.h>
17722 +#include <asm/msr-index.h>
17725 + pushfl # Save caller passed flags
17726 + pushl $0 # Kill any dangerous flags
17729 + pushfl # standard way to check for cpuid
17732 + xorl $0x200000,%eax
17738 + jz verify_cpu_no_longmode # cpu has no cpuid
17740 + movl $0x0,%eax # See if cpuid 1 is implemented
17743 + jb verify_cpu_no_longmode # no cpuid 1
17746 + cmpl $0x68747541,%ebx # AuthenticAMD
17747 + jnz verify_cpu_noamd
17748 + cmpl $0x69746e65,%edx
17749 + jnz verify_cpu_noamd
17750 + cmpl $0x444d4163,%ecx
17751 + jnz verify_cpu_noamd
17752 + mov $1,%di # cpu is from AMD
17753 + jmp verify_cpu_check
17756 + cmpl $0x756e6547,%ebx # GenuineIntel?
17757 + jnz verify_cpu_check
17758 + cmpl $0x49656e69,%edx
17759 + jnz verify_cpu_check
17760 + cmpl $0x6c65746e,%ecx
17761 + jnz verify_cpu_check
17763 + # only call IA32_MISC_ENABLE when:
17764 + # family > 6 || (family == 6 && model >= 0xd)
17765 + movl $0x1, %eax # check CPU family and model
17769 + andl $0x0ff00f00, %eax # mask family and extended family
17772 + ja verify_cpu_clear_xd # family > 6, ok
17773 + jb verify_cpu_check # family < 6, skip
17775 + andl $0x000f00f0, %ecx # mask model and extended model
17778 + jb verify_cpu_check # family == 6, model < 0xd, skip
17780 +verify_cpu_clear_xd:
17781 + movl $MSR_IA32_MISC_ENABLE, %ecx
17783 + btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
17784 + jnc verify_cpu_check # only write MSR if bit was changed
17788 + movl $0x1,%eax # Does the cpu have what it takes
17790 + andl $REQUIRED_MASK0,%edx
17791 + xorl $REQUIRED_MASK0,%edx
17792 + jnz verify_cpu_no_longmode
17794 + movl $0x80000000,%eax # See if extended cpuid is implemented
17796 + cmpl $0x80000001,%eax
17797 + jb verify_cpu_no_longmode # no extended cpuid
17799 + movl $0x80000001,%eax # Does the cpu have what it takes
17801 + andl $REQUIRED_MASK1,%edx
17802 + xorl $REQUIRED_MASK1,%edx
17803 + jnz verify_cpu_no_longmode
17805 +verify_cpu_sse_test:
17808 + andl $SSE_MASK,%edx
17809 + cmpl $SSE_MASK,%edx
17810 + je verify_cpu_sse_ok
17812 + jz verify_cpu_no_longmode # only try to force SSE on AMD
17813 + movl $MSR_K7_HWCR,%ecx
17815 + btr $15,%eax # enable SSE
17817 + xor %di,%di # don't loop
17818 + jmp verify_cpu_sse_test # try again
17820 +verify_cpu_no_longmode:
17821 + popfl # Restore caller passed flags
17824 +verify_cpu_sse_ok:
17825 + popfl # Restore caller passed flags
17828 diff -urNp linux-2.6.32.43/arch/x86/kernel/vm86_32.c linux-2.6.32.43/arch/x86/kernel/vm86_32.c
17829 --- linux-2.6.32.43/arch/x86/kernel/vm86_32.c 2011-03-27 14:31:47.000000000 -0400
17830 +++ linux-2.6.32.43/arch/x86/kernel/vm86_32.c 2011-04-17 15:56:46.000000000 -0400
17832 #include <linux/ptrace.h>
17833 #include <linux/audit.h>
17834 #include <linux/stddef.h>
17835 +#include <linux/grsecurity.h>
17837 #include <asm/uaccess.h>
17838 #include <asm/io.h>
17839 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
17843 - tss = &per_cpu(init_tss, get_cpu());
17844 + tss = init_tss + get_cpu();
17845 current->thread.sp0 = current->thread.saved_sp0;
17846 current->thread.sysenter_cs = __KERNEL_CS;
17847 load_sp0(tss, ¤t->thread);
17848 @@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
17849 struct task_struct *tsk;
17850 int tmp, ret = -EPERM;
17852 +#ifdef CONFIG_GRKERNSEC_VM86
17853 + if (!capable(CAP_SYS_RAWIO)) {
17854 + gr_handle_vm86();
17860 if (tsk->thread.saved_sp0)
17862 @@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
17864 struct vm86plus_struct __user *v86;
17866 +#ifdef CONFIG_GRKERNSEC_VM86
17867 + if (!capable(CAP_SYS_RAWIO)) {
17868 + gr_handle_vm86();
17875 switch (regs->bx) {
17876 case VM86_REQUEST_IRQ:
17877 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
17878 tsk->thread.saved_fs = info->regs32->fs;
17879 tsk->thread.saved_gs = get_user_gs(info->regs32);
17881 - tss = &per_cpu(init_tss, get_cpu());
17882 + tss = init_tss + get_cpu();
17883 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
17885 tsk->thread.sysenter_cs = 0;
17886 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
17887 goto cannot_handle;
17888 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
17889 goto cannot_handle;
17890 - intr_ptr = (unsigned long __user *) (i << 2);
17891 + intr_ptr = (__force unsigned long __user *) (i << 2);
17892 if (get_user(segoffs, intr_ptr))
17893 goto cannot_handle;
17894 if ((segoffs >> 16) == BIOSSEG)
17895 diff -urNp linux-2.6.32.43/arch/x86/kernel/vmi_32.c linux-2.6.32.43/arch/x86/kernel/vmi_32.c
17896 --- linux-2.6.32.43/arch/x86/kernel/vmi_32.c 2011-03-27 14:31:47.000000000 -0400
17897 +++ linux-2.6.32.43/arch/x86/kernel/vmi_32.c 2011-08-05 20:33:55.000000000 -0400
17898 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
17899 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
17901 #define call_vrom_func(rom,func) \
17902 - (((VROMFUNC *)(rom->func))())
17903 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
17905 #define call_vrom_long_func(rom,func,arg) \
17906 - (((VROMLONGFUNC *)(rom->func)) (arg))
17908 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
17909 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
17910 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
17914 -static struct vrom_header *vmi_rom;
17915 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
17916 static int disable_pge;
17917 static int disable_pse;
17918 static int disable_sep;
17919 @@ -76,10 +81,10 @@ static struct {
17920 void (*set_initial_ap_state)(int, int);
17921 void (*halt)(void);
17922 void (*set_lazy_mode)(int mode);
17924 +} __no_const vmi_ops __read_only;
17926 /* Cached VMI operations */
17927 -struct vmi_timer_ops vmi_timer_ops;
17928 +struct vmi_timer_ops vmi_timer_ops __read_only;
17931 * VMI patching routines.
17932 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
17933 static inline void patch_offset(void *insnbuf,
17934 unsigned long ip, unsigned long dest)
17936 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
17937 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
17940 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
17941 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
17944 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
17946 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
17947 switch(rel->type) {
17948 case VMI_RELOCATION_CALL_REL:
17949 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
17951 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
17953 - const pte_t pte = { .pte = 0 };
17954 + const pte_t pte = __pte(0ULL);
17955 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
17958 static void vmi_pmd_clear(pmd_t *pmd)
17960 - const pte_t pte = { .pte = 0 };
17961 + const pte_t pte = __pte(0ULL);
17962 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
17965 @@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
17966 ap.ss = __KERNEL_DS;
17967 ap.esp = (unsigned long) start_esp;
17969 - ap.ds = __USER_DS;
17970 - ap.es = __USER_DS;
17971 + ap.ds = __KERNEL_DS;
17972 + ap.es = __KERNEL_DS;
17973 ap.fs = __KERNEL_PERCPU;
17974 - ap.gs = __KERNEL_STACK_CANARY;
17975 + savesegment(gs, ap.gs);
17979 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
17980 paravirt_leave_lazy_mmu();
17983 +#ifdef CONFIG_PAX_KERNEXEC
17984 +static unsigned long vmi_pax_open_kernel(void)
17989 +static unsigned long vmi_pax_close_kernel(void)
17995 static inline int __init check_vmi_rom(struct vrom_header *rom)
17997 struct pci_header *pci;
17998 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
18000 if (rom->vrom_signature != VMI_SIGNATURE)
18002 + if (rom->rom_length * 512 > sizeof(*rom)) {
18003 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
18006 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
18007 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
18008 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
18009 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
18010 struct vrom_header *romstart;
18011 romstart = (struct vrom_header *)isa_bus_to_virt(base);
18012 if (check_vmi_rom(romstart)) {
18013 - vmi_rom = romstart;
18014 + vmi_rom = *romstart;
18018 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
18020 para_fill(pv_irq_ops.safe_halt, Halt);
18022 +#ifdef CONFIG_PAX_KERNEXEC
18023 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
18024 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
18028 * Alternative instruction rewriting doesn't happen soon enough
18029 * to convert VMI_IRET to a call instead of a jump; so we have
18030 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
18032 void __init vmi_init(void)
18035 + if (!vmi_rom.rom_signature)
18038 - check_vmi_rom(vmi_rom);
18039 + check_vmi_rom(&vmi_rom);
18041 /* In case probing for or validating the ROM failed, basil */
18043 + if (!vmi_rom.rom_signature)
18046 - reserve_top_address(-vmi_rom->virtual_top);
18047 + reserve_top_address(-vmi_rom.virtual_top);
18049 #ifdef CONFIG_X86_IO_APIC
18050 /* This is virtual hardware; timer routing is wired correctly */
18051 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
18053 unsigned long flags;
18056 + if (!vmi_rom.rom_signature)
18059 local_irq_save(flags);
18060 diff -urNp linux-2.6.32.43/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.43/arch/x86/kernel/vmlinux.lds.S
18061 --- linux-2.6.32.43/arch/x86/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
18062 +++ linux-2.6.32.43/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:56:46.000000000 -0400
18064 #include <asm/page_types.h>
18065 #include <asm/cache.h>
18066 #include <asm/boot.h>
18067 +#include <asm/segment.h>
18069 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18070 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18072 +#define __KERNEL_TEXT_OFFSET 0
18075 #undef i386 /* in case the preprocessor is a 32bit one */
18077 @@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18078 #ifdef CONFIG_X86_32
18080 ENTRY(phys_startup_32)
18081 -jiffies = jiffies_64;
18083 OUTPUT_ARCH(i386:x86-64)
18084 ENTRY(phys_startup_64)
18085 -jiffies_64 = jiffies;
18089 text PT_LOAD FLAGS(5); /* R_E */
18090 - data PT_LOAD FLAGS(7); /* RWE */
18091 +#ifdef CONFIG_X86_32
18092 + module PT_LOAD FLAGS(5); /* R_E */
18095 + rodata PT_LOAD FLAGS(5); /* R_E */
18097 + rodata PT_LOAD FLAGS(4); /* R__ */
18099 + data PT_LOAD FLAGS(6); /* RW_ */
18100 #ifdef CONFIG_X86_64
18101 user PT_LOAD FLAGS(5); /* R_E */
18103 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18105 percpu PT_LOAD FLAGS(6); /* RW_ */
18107 + text.init PT_LOAD FLAGS(5); /* R_E */
18108 + text.exit PT_LOAD FLAGS(5); /* R_E */
18109 init PT_LOAD FLAGS(7); /* RWE */
18111 note PT_NOTE FLAGS(0); /* ___ */
18116 #ifdef CONFIG_X86_32
18117 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18118 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18119 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18121 - . = __START_KERNEL;
18122 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18123 + . = __START_KERNEL;
18126 /* Text and read-only data */
18127 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18129 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18130 /* bootstrapping code */
18131 +#ifdef CONFIG_X86_32
18132 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18134 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18136 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18139 #ifdef CONFIG_X86_32
18140 . = ALIGN(PAGE_SIZE);
18141 @@ -82,28 +102,71 @@ SECTIONS
18145 - /* End of text section */
18149 - NOTES :text :note
18150 + . += __KERNEL_TEXT_OFFSET;
18152 +#ifdef CONFIG_X86_32
18153 + . = ALIGN(PAGE_SIZE);
18154 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
18158 + . = ALIGN(PAGE_SIZE);
18159 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18161 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18162 + MODULES_EXEC_VADDR = .;
18164 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18165 + . = ALIGN(HPAGE_SIZE);
18166 + MODULES_EXEC_END = . - 1;
18172 - EXCEPTION_TABLE(16) :text = 0x9090
18173 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18174 + /* End of text section */
18175 + _etext = . - __KERNEL_TEXT_OFFSET;
18178 +#ifdef CONFIG_X86_32
18179 + . = ALIGN(PAGE_SIZE);
18180 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18182 + . = ALIGN(PAGE_SIZE);
18183 + *(.empty_zero_page)
18184 + *(.swapper_pg_fixmap)
18185 + *(.swapper_pg_pmd)
18186 + *(.swapper_pg_dir)
18187 + *(.trampoline_pg_dir)
18191 + . = ALIGN(PAGE_SIZE);
18192 + NOTES :rodata :note
18194 + EXCEPTION_TABLE(16) :rodata
18199 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18201 +#ifdef CONFIG_PAX_KERNEXEC
18202 + . = ALIGN(HPAGE_SIZE);
18204 + . = ALIGN(PAGE_SIZE);
18207 /* Start of data section */
18211 INIT_TASK_DATA(THREAD_SIZE)
18213 -#ifdef CONFIG_X86_32
18214 - /* 32 bit has nosave before _edata */
18218 PAGE_ALIGNED_DATA(PAGE_SIZE)
18220 @@ -112,6 +175,8 @@ SECTIONS
18224 + jiffies = jiffies_64;
18226 /* rarely changed data like cpu maps */
18227 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
18229 @@ -166,12 +231,6 @@ SECTIONS
18231 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18233 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
18234 - .jiffies : AT(VLOAD(.jiffies)) {
18237 - jiffies = VVIRT(.jiffies);
18239 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18242 @@ -187,12 +246,19 @@ SECTIONS
18243 #endif /* CONFIG_X86_64 */
18245 /* Init code and data - will be freed after init */
18246 - . = ALIGN(PAGE_SIZE);
18247 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18250 +#ifdef CONFIG_PAX_KERNEXEC
18251 + . = ALIGN(HPAGE_SIZE);
18253 + . = ALIGN(PAGE_SIZE);
18256 __init_begin = .; /* paired with __init_end */
18260 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18263 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18264 * output PHDR, so the next output section - .init.text - should
18265 @@ -201,12 +267,27 @@ SECTIONS
18266 PERCPU_VADDR(0, :percpu)
18269 - INIT_TEXT_SECTION(PAGE_SIZE)
18270 -#ifdef CONFIG_X86_64
18273 + . = ALIGN(PAGE_SIZE);
18275 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18276 + VMLINUX_SYMBOL(_sinittext) = .;
18278 + VMLINUX_SYMBOL(_einittext) = .;
18279 + . = ALIGN(PAGE_SIZE);
18282 - INIT_DATA_SECTION(16)
18284 + * .exit.text is discard at runtime, not link time, to deal with
18285 + * references from .altinstructions and .eh_frame
18287 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18291 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18293 + . = ALIGN(PAGE_SIZE);
18294 + INIT_DATA_SECTION(16) :init
18296 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
18297 __x86_cpu_dev_start = .;
18298 @@ -232,19 +313,11 @@ SECTIONS
18299 *(.altinstr_replacement)
18303 - * .exit.text is discard at runtime, not link time, to deal with
18304 - * references from .altinstructions and .eh_frame
18306 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18310 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18314 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18315 +#ifndef CONFIG_SMP
18319 @@ -267,12 +340,6 @@ SECTIONS
18320 . = ALIGN(PAGE_SIZE);
18323 -#ifdef CONFIG_X86_64
18324 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18330 . = ALIGN(PAGE_SIZE);
18331 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18332 @@ -288,6 +355,7 @@ SECTIONS
18334 . += 64 * 1024; /* 64k alignment slop space */
18335 *(.brk_reservation) /* areas brk users have reserved */
18336 + . = ALIGN(HPAGE_SIZE);
18340 @@ -316,13 +384,12 @@ SECTIONS
18341 * for the boot processor.
18343 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
18344 -INIT_PER_CPU(gdt_page);
18345 INIT_PER_CPU(irq_stack_union);
18348 * Build-time check on the image size:
18350 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18351 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18352 "kernel image bigger than KERNEL_IMAGE_SIZE");
18355 diff -urNp linux-2.6.32.43/arch/x86/kernel/vsyscall_64.c linux-2.6.32.43/arch/x86/kernel/vsyscall_64.c
18356 --- linux-2.6.32.43/arch/x86/kernel/vsyscall_64.c 2011-03-27 14:31:47.000000000 -0400
18357 +++ linux-2.6.32.43/arch/x86/kernel/vsyscall_64.c 2011-04-23 12:56:10.000000000 -0400
18358 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18360 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18361 /* copy vsyscall data */
18362 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18363 vsyscall_gtod_data.clock.vread = clock->vread;
18364 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18365 vsyscall_gtod_data.clock.mask = clock->mask;
18366 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18367 We do this here because otherwise user space would do it on
18368 its own in a likely inferior way (no access to jiffies).
18369 If you don't like it pass NULL. */
18370 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18371 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18372 p = tcache->blob[1];
18373 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18374 /* Load per CPU data from RDTSCP */
18375 diff -urNp linux-2.6.32.43/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.43/arch/x86/kernel/x8664_ksyms_64.c
18376 --- linux-2.6.32.43/arch/x86/kernel/x8664_ksyms_64.c 2011-03-27 14:31:47.000000000 -0400
18377 +++ linux-2.6.32.43/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:56:46.000000000 -0400
18378 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
18380 EXPORT_SYMBOL(copy_user_generic);
18381 EXPORT_SYMBOL(__copy_user_nocache);
18382 -EXPORT_SYMBOL(copy_from_user);
18383 -EXPORT_SYMBOL(copy_to_user);
18384 EXPORT_SYMBOL(__copy_from_user_inatomic);
18386 EXPORT_SYMBOL(copy_page);
18387 diff -urNp linux-2.6.32.43/arch/x86/kernel/xsave.c linux-2.6.32.43/arch/x86/kernel/xsave.c
18388 --- linux-2.6.32.43/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400
18389 +++ linux-2.6.32.43/arch/x86/kernel/xsave.c 2011-04-17 15:56:46.000000000 -0400
18390 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
18391 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18394 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18395 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18396 fx_sw_user->extended_size -
18397 FP_XSTATE_MAGIC2_SIZE));
18399 @@ -196,7 +196,7 @@ fx_only:
18400 * the other extended state.
18402 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18403 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18404 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18408 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
18409 if (task_thread_info(tsk)->status & TS_XSAVE)
18410 err = restore_user_xstate(buf);
18412 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18413 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18415 if (unlikely(err)) {
18417 diff -urNp linux-2.6.32.43/arch/x86/kvm/emulate.c linux-2.6.32.43/arch/x86/kvm/emulate.c
18418 --- linux-2.6.32.43/arch/x86/kvm/emulate.c 2011-03-27 14:31:47.000000000 -0400
18419 +++ linux-2.6.32.43/arch/x86/kvm/emulate.c 2011-04-17 15:56:46.000000000 -0400
18421 #define Src2CL (1<<29)
18422 #define Src2ImmByte (2<<29)
18423 #define Src2One (3<<29)
18424 -#define Src2Imm16 (4<<29)
18425 -#define Src2Mask (7<<29)
18426 +#define Src2Imm16 (4U<<29)
18427 +#define Src2Mask (7U<<29)
18430 Group1_80, Group1_81, Group1_82, Group1_83,
18431 @@ -411,6 +411,7 @@ static u32 group2_table[] = {
18433 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
18435 + unsigned long _tmp; \
18436 __asm__ __volatile__ ( \
18437 _PRE_EFLAGS("0", "4", "2") \
18438 _op _suffix " %"_x"3,%1; " \
18439 @@ -424,8 +425,6 @@ static u32 group2_table[] = {
18440 /* Raw emulation: instruction has two explicit operands. */
18441 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18443 - unsigned long _tmp; \
18445 switch ((_dst).bytes) { \
18447 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
18448 @@ -441,7 +440,6 @@ static u32 group2_table[] = {
18450 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18452 - unsigned long _tmp; \
18453 switch ((_dst).bytes) { \
18455 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
18456 diff -urNp linux-2.6.32.43/arch/x86/kvm/lapic.c linux-2.6.32.43/arch/x86/kvm/lapic.c
18457 --- linux-2.6.32.43/arch/x86/kvm/lapic.c 2011-03-27 14:31:47.000000000 -0400
18458 +++ linux-2.6.32.43/arch/x86/kvm/lapic.c 2011-04-17 15:56:46.000000000 -0400
18460 #define APIC_BUS_CYCLE_NS 1
18462 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18463 -#define apic_debug(fmt, arg...)
18464 +#define apic_debug(fmt, arg...) do {} while (0)
18466 #define APIC_LVT_NUM 6
18467 /* 14 is the version for Xeon and Pentium 8.4.8*/
18468 diff -urNp linux-2.6.32.43/arch/x86/kvm/paging_tmpl.h linux-2.6.32.43/arch/x86/kvm/paging_tmpl.h
18469 --- linux-2.6.32.43/arch/x86/kvm/paging_tmpl.h 2011-03-27 14:31:47.000000000 -0400
18470 +++ linux-2.6.32.43/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:46:57.000000000 -0400
18471 @@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
18472 int level = PT_PAGE_TABLE_LEVEL;
18473 unsigned long mmu_seq;
18475 + pax_track_stack();
18477 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18478 kvm_mmu_audit(vcpu, "pre page fault");
18480 diff -urNp linux-2.6.32.43/arch/x86/kvm/svm.c linux-2.6.32.43/arch/x86/kvm/svm.c
18481 --- linux-2.6.32.43/arch/x86/kvm/svm.c 2011-03-27 14:31:47.000000000 -0400
18482 +++ linux-2.6.32.43/arch/x86/kvm/svm.c 2011-08-05 20:33:55.000000000 -0400
18483 @@ -2485,7 +2485,11 @@ static void reload_tss(struct kvm_vcpu *
18484 int cpu = raw_smp_processor_id();
18486 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
18488 + pax_open_kernel();
18489 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
18490 + pax_close_kernel();
18495 @@ -2946,7 +2950,7 @@ static bool svm_gb_page_enable(void)
18499 -static struct kvm_x86_ops svm_x86_ops = {
18500 +static const struct kvm_x86_ops svm_x86_ops = {
18501 .cpu_has_kvm_support = has_svm,
18502 .disabled_by_bios = is_disabled,
18503 .hardware_setup = svm_hardware_setup,
18504 diff -urNp linux-2.6.32.43/arch/x86/kvm/vmx.c linux-2.6.32.43/arch/x86/kvm/vmx.c
18505 --- linux-2.6.32.43/arch/x86/kvm/vmx.c 2011-03-27 14:31:47.000000000 -0400
18506 +++ linux-2.6.32.43/arch/x86/kvm/vmx.c 2011-05-04 17:56:20.000000000 -0400
18507 @@ -570,7 +570,11 @@ static void reload_tss(void)
18510 descs = (void *)gdt.base;
18512 + pax_open_kernel();
18513 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18514 + pax_close_kernel();
18519 @@ -1409,8 +1413,11 @@ static __init int hardware_setup(void)
18520 if (!cpu_has_vmx_flexpriority())
18521 flexpriority_enabled = 0;
18523 - if (!cpu_has_vmx_tpr_shadow())
18524 - kvm_x86_ops->update_cr8_intercept = NULL;
18525 + if (!cpu_has_vmx_tpr_shadow()) {
18526 + pax_open_kernel();
18527 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18528 + pax_close_kernel();
18531 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18532 kvm_disable_largepages();
18533 @@ -2361,7 +2368,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18534 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
18536 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18537 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18538 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18539 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18540 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18541 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
18542 @@ -3717,6 +3724,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
18543 "jmp .Lkvm_vmx_return \n\t"
18544 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18545 ".Lkvm_vmx_return: "
18547 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18548 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18549 + ".Lkvm_vmx_return2: "
18552 /* Save guest registers, load host registers, keep flags */
18553 "xchg %0, (%%"R"sp) \n\t"
18554 "mov %%"R"ax, %c[rax](%0) \n\t"
18555 @@ -3763,8 +3776,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
18556 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
18558 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
18560 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18561 + ,[cs]"i"(__KERNEL_CS)
18565 - , R"bx", R"di", R"si"
18566 + , R"ax", R"bx", R"di", R"si"
18567 #ifdef CONFIG_X86_64
18568 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
18570 @@ -3781,7 +3799,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
18571 if (vmx->rmode.irq.pending)
18572 fixup_rmode_irq(vmx);
18574 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18575 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18577 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18578 + loadsegment(fs, __KERNEL_PERCPU);
18581 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18582 + __set_fs(current_thread_info()->addr_limit);
18587 vmx_complete_interrupts(vmx);
18588 @@ -3956,7 +3983,7 @@ static bool vmx_gb_page_enable(void)
18592 -static struct kvm_x86_ops vmx_x86_ops = {
18593 +static const struct kvm_x86_ops vmx_x86_ops = {
18594 .cpu_has_kvm_support = cpu_has_kvm_support,
18595 .disabled_by_bios = vmx_disabled_by_bios,
18596 .hardware_setup = hardware_setup,
18597 diff -urNp linux-2.6.32.43/arch/x86/kvm/x86.c linux-2.6.32.43/arch/x86/kvm/x86.c
18598 --- linux-2.6.32.43/arch/x86/kvm/x86.c 2011-05-10 22:12:01.000000000 -0400
18599 +++ linux-2.6.32.43/arch/x86/kvm/x86.c 2011-05-10 22:12:26.000000000 -0400
18600 @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
18601 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18602 struct kvm_cpuid_entry2 __user *entries);
18604 -struct kvm_x86_ops *kvm_x86_ops;
18605 +const struct kvm_x86_ops *kvm_x86_ops;
18606 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18608 int ignore_msrs = 0;
18609 @@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18610 struct kvm_cpuid2 *cpuid,
18611 struct kvm_cpuid_entry2 __user *entries)
18617 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18620 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18621 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18622 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18624 + for (i = 0; i < cpuid->nent; ++i) {
18625 + struct kvm_cpuid_entry2 cpuid_entry;
18626 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18628 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18630 vcpu->arch.cpuid_nent = cpuid->nent;
18631 kvm_apic_set_version(vcpu);
18633 @@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18634 struct kvm_cpuid2 *cpuid,
18635 struct kvm_cpuid_entry2 __user *entries)
18642 if (cpuid->nent < vcpu->arch.cpuid_nent)
18645 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18646 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18647 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18649 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18650 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18651 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18657 @@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18658 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18659 struct kvm_interrupt *irq)
18661 - if (irq->irq < 0 || irq->irq >= 256)
18662 + if (irq->irq >= 256)
18664 if (irqchip_in_kernel(vcpu->kvm))
18666 @@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
18667 .notifier_call = kvmclock_cpufreq_notifier
18670 -int kvm_arch_init(void *opaque)
18671 +int kvm_arch_init(const void *opaque)
18674 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
18675 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
18678 printk(KERN_ERR "kvm: already loaded the other module\n");
18679 diff -urNp linux-2.6.32.43/arch/x86/lguest/boot.c linux-2.6.32.43/arch/x86/lguest/boot.c
18680 --- linux-2.6.32.43/arch/x86/lguest/boot.c 2011-03-27 14:31:47.000000000 -0400
18681 +++ linux-2.6.32.43/arch/x86/lguest/boot.c 2011-08-05 20:33:55.000000000 -0400
18682 @@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
18683 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
18684 * Launcher to reboot us.
18686 -static void lguest_restart(char *reason)
18687 +static __noreturn void lguest_restart(char *reason)
18689 kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
18694 diff -urNp linux-2.6.32.43/arch/x86/lib/atomic64_32.c linux-2.6.32.43/arch/x86/lib/atomic64_32.c
18695 --- linux-2.6.32.43/arch/x86/lib/atomic64_32.c 2011-03-27 14:31:47.000000000 -0400
18696 +++ linux-2.6.32.43/arch/x86/lib/atomic64_32.c 2011-05-04 17:56:28.000000000 -0400
18697 @@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
18699 EXPORT_SYMBOL(atomic64_cmpxchg);
18701 +u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
18703 + return cmpxchg8b(&ptr->counter, old_val, new_val);
18705 +EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
18708 * atomic64_xchg - xchg atomic64 variable
18709 * @ptr: pointer to type atomic64_t
18710 @@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
18711 EXPORT_SYMBOL(atomic64_xchg);
18714 + * atomic64_xchg_unchecked - xchg atomic64 variable
18715 + * @ptr: pointer to type atomic64_unchecked_t
18716 + * @new_val: value to assign
18718 + * Atomically xchgs the value of @ptr to @new_val and returns
18721 +u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
18724 + * Try first with a (possibly incorrect) assumption about
18725 + * what we have there. We'll do two loops most likely,
18726 + * but we'll get an ownership MESI transaction straight away
18727 + * instead of a read transaction followed by a
18728 + * flush-for-ownership transaction:
18730 + u64 old_val, real_val = 0;
18733 + old_val = real_val;
18735 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
18737 + } while (real_val != old_val);
18741 +EXPORT_SYMBOL(atomic64_xchg_unchecked);
18744 * atomic64_set - set atomic64 variable
18745 * @ptr: pointer to type atomic64_t
18746 * @new_val: value to assign
18747 @@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
18748 EXPORT_SYMBOL(atomic64_set);
18751 -EXPORT_SYMBOL(atomic64_read);
18752 + * atomic64_unchecked_set - set atomic64 variable
18753 + * @ptr: pointer to type atomic64_unchecked_t
18754 + * @new_val: value to assign
18756 + * Atomically sets the value of @ptr to @new_val.
18758 +void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
18760 + atomic64_xchg_unchecked(ptr, new_val);
18762 +EXPORT_SYMBOL(atomic64_set_unchecked);
18765 * atomic64_add_return - add and return
18766 * @delta: integer value to add
18767 * @ptr: pointer to type atomic64_t
18768 @@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
18770 EXPORT_SYMBOL(atomic64_add_return);
18773 + * atomic64_add_return_unchecked - add and return
18774 + * @delta: integer value to add
18775 + * @ptr: pointer to type atomic64_unchecked_t
18777 + * Atomically adds @delta to @ptr and returns @delta + *@ptr
18779 +noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18782 + * Try first with a (possibly incorrect) assumption about
18783 + * what we have there. We'll do two loops most likely,
18784 + * but we'll get an ownership MESI transaction straight away
18785 + * instead of a read transaction followed by a
18786 + * flush-for-ownership transaction:
18788 + u64 old_val, new_val, real_val = 0;
18791 + old_val = real_val;
18792 + new_val = old_val + delta;
18794 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
18796 + } while (real_val != old_val);
18800 +EXPORT_SYMBOL(atomic64_add_return_unchecked);
18802 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
18804 return atomic64_add_return(-delta, ptr);
18806 EXPORT_SYMBOL(atomic64_sub_return);
18808 +u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18810 + return atomic64_add_return_unchecked(-delta, ptr);
18812 +EXPORT_SYMBOL(atomic64_sub_return_unchecked);
18814 u64 atomic64_inc_return(atomic64_t *ptr)
18816 return atomic64_add_return(1, ptr);
18818 EXPORT_SYMBOL(atomic64_inc_return);
18820 +u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
18822 + return atomic64_add_return_unchecked(1, ptr);
18824 +EXPORT_SYMBOL(atomic64_inc_return_unchecked);
18826 u64 atomic64_dec_return(atomic64_t *ptr)
18828 return atomic64_sub_return(1, ptr);
18830 EXPORT_SYMBOL(atomic64_dec_return);
18832 +u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
18834 + return atomic64_sub_return_unchecked(1, ptr);
18836 +EXPORT_SYMBOL(atomic64_dec_return_unchecked);
18839 * atomic64_add - add integer to atomic64 variable
18840 * @delta: integer value to add
18841 @@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
18842 EXPORT_SYMBOL(atomic64_add);
18845 + * atomic64_add_unchecked - add integer to atomic64 variable
18846 + * @delta: integer value to add
18847 + * @ptr: pointer to type atomic64_unchecked_t
18849 + * Atomically adds @delta to @ptr.
18851 +void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18853 + atomic64_add_return_unchecked(delta, ptr);
18855 +EXPORT_SYMBOL(atomic64_add_unchecked);
18858 * atomic64_sub - subtract the atomic64 variable
18859 * @delta: integer value to subtract
18860 * @ptr: pointer to type atomic64_t
18861 @@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
18862 EXPORT_SYMBOL(atomic64_sub);
18865 + * atomic64_sub_unchecked - subtract the atomic64 variable
18866 + * @delta: integer value to subtract
18867 + * @ptr: pointer to type atomic64_unchecked_t
18869 + * Atomically subtracts @delta from @ptr.
18871 +void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18873 + atomic64_add_unchecked(-delta, ptr);
18875 +EXPORT_SYMBOL(atomic64_sub_unchecked);
18878 * atomic64_sub_and_test - subtract value from variable and test result
18879 * @delta: integer value to subtract
18880 * @ptr: pointer to type atomic64_t
18881 @@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
18882 EXPORT_SYMBOL(atomic64_inc);
18885 + * atomic64_inc_unchecked - increment atomic64 variable
18886 + * @ptr: pointer to type atomic64_unchecked_t
18888 + * Atomically increments @ptr by 1.
18890 +void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
18892 + atomic64_add_unchecked(1, ptr);
18894 +EXPORT_SYMBOL(atomic64_inc_unchecked);
18897 * atomic64_dec - decrement atomic64 variable
18898 * @ptr: pointer to type atomic64_t
18900 @@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
18901 EXPORT_SYMBOL(atomic64_dec);
18904 + * atomic64_dec_unchecked - decrement atomic64 variable
18905 + * @ptr: pointer to type atomic64_unchecked_t
18907 + * Atomically decrements @ptr by 1.
18909 +void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
18911 + atomic64_sub_unchecked(1, ptr);
18913 +EXPORT_SYMBOL(atomic64_dec_unchecked);
18916 * atomic64_dec_and_test - decrement and test
18917 * @ptr: pointer to type atomic64_t
18919 diff -urNp linux-2.6.32.43/arch/x86/lib/checksum_32.S linux-2.6.32.43/arch/x86/lib/checksum_32.S
18920 --- linux-2.6.32.43/arch/x86/lib/checksum_32.S 2011-03-27 14:31:47.000000000 -0400
18921 +++ linux-2.6.32.43/arch/x86/lib/checksum_32.S 2011-04-17 15:56:46.000000000 -0400
18923 #include <linux/linkage.h>
18924 #include <asm/dwarf2.h>
18925 #include <asm/errno.h>
18927 +#include <asm/segment.h>
18930 * computes a partial checksum, e.g. for TCP/UDP fragments
18932 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
18937 -ENTRY(csum_partial_copy_generic)
18939 +ENTRY(csum_partial_copy_generic_to_user)
18942 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18944 + CFI_ADJUST_CFA_OFFSET 4
18946 + CFI_ADJUST_CFA_OFFSET -4
18947 + jmp csum_partial_copy_generic
18950 +ENTRY(csum_partial_copy_generic_from_user)
18952 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18954 + CFI_ADJUST_CFA_OFFSET 4
18956 + CFI_ADJUST_CFA_OFFSET -4
18959 +ENTRY(csum_partial_copy_generic)
18961 CFI_ADJUST_CFA_OFFSET 4
18963 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
18965 SRC(1: movw (%esi), %bx )
18967 -DST( movw %bx, (%edi) )
18968 +DST( movw %bx, %es:(%edi) )
18972 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
18973 SRC(1: movl (%esi), %ebx )
18974 SRC( movl 4(%esi), %edx )
18976 -DST( movl %ebx, (%edi) )
18977 +DST( movl %ebx, %es:(%edi) )
18979 -DST( movl %edx, 4(%edi) )
18980 +DST( movl %edx, %es:4(%edi) )
18982 SRC( movl 8(%esi), %ebx )
18983 SRC( movl 12(%esi), %edx )
18985 -DST( movl %ebx, 8(%edi) )
18986 +DST( movl %ebx, %es:8(%edi) )
18988 -DST( movl %edx, 12(%edi) )
18989 +DST( movl %edx, %es:12(%edi) )
18991 SRC( movl 16(%esi), %ebx )
18992 SRC( movl 20(%esi), %edx )
18994 -DST( movl %ebx, 16(%edi) )
18995 +DST( movl %ebx, %es:16(%edi) )
18997 -DST( movl %edx, 20(%edi) )
18998 +DST( movl %edx, %es:20(%edi) )
19000 SRC( movl 24(%esi), %ebx )
19001 SRC( movl 28(%esi), %edx )
19003 -DST( movl %ebx, 24(%edi) )
19004 +DST( movl %ebx, %es:24(%edi) )
19006 -DST( movl %edx, 28(%edi) )
19007 +DST( movl %edx, %es:28(%edi) )
19011 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
19012 shrl $2, %edx # This clears CF
19013 SRC(3: movl (%esi), %ebx )
19015 -DST( movl %ebx, (%edi) )
19016 +DST( movl %ebx, %es:(%edi) )
19020 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
19022 SRC( movw (%esi), %cx )
19024 -DST( movw %cx, (%edi) )
19025 +DST( movw %cx, %es:(%edi) )
19029 SRC(5: movb (%esi), %cl )
19030 -DST( movb %cl, (%edi) )
19031 +DST( movb %cl, %es:(%edi) )
19035 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
19038 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19039 - movl $-EFAULT, (%ebx)
19040 + movl $-EFAULT, %ss:(%ebx)
19042 # zero the complete destination - computing the rest
19044 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
19047 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19048 - movl $-EFAULT,(%ebx)
19049 + movl $-EFAULT,%ss:(%ebx)
19055 + CFI_ADJUST_CFA_OFFSET 4
19057 + CFI_ADJUST_CFA_OFFSET -4
19059 + CFI_ADJUST_CFA_OFFSET 4
19061 + CFI_ADJUST_CFA_OFFSET -4
19063 CFI_ADJUST_CFA_OFFSET -4
19065 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
19066 CFI_ADJUST_CFA_OFFSET -4
19069 -ENDPROC(csum_partial_copy_generic)
19070 +ENDPROC(csum_partial_copy_generic_to_user)
19074 /* Version for PentiumII/PPro */
19076 #define ROUND1(x) \
19078 SRC(movl x(%esi), %ebx ) ; \
19079 addl %ebx, %eax ; \
19080 - DST(movl %ebx, x(%edi) ) ;
19081 + DST(movl %ebx, %es:x(%edi)) ;
19085 SRC(movl x(%esi), %ebx ) ; \
19086 adcl %ebx, %eax ; \
19087 - DST(movl %ebx, x(%edi) ) ;
19088 + DST(movl %ebx, %es:x(%edi)) ;
19092 -ENTRY(csum_partial_copy_generic)
19094 +ENTRY(csum_partial_copy_generic_to_user)
19097 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19099 + CFI_ADJUST_CFA_OFFSET 4
19101 + CFI_ADJUST_CFA_OFFSET -4
19102 + jmp csum_partial_copy_generic
19105 +ENTRY(csum_partial_copy_generic_from_user)
19107 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19109 + CFI_ADJUST_CFA_OFFSET 4
19111 + CFI_ADJUST_CFA_OFFSET -4
19114 +ENTRY(csum_partial_copy_generic)
19116 CFI_ADJUST_CFA_OFFSET 4
19117 CFI_REL_OFFSET ebx, 0
19118 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
19122 - lea 3f(%ebx,%ebx), %ebx
19123 + lea 3f(%ebx,%ebx,2), %ebx
19127 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
19129 SRC( movw (%esi), %dx )
19131 -DST( movw %dx, (%edi) )
19132 +DST( movw %dx, %es:(%edi) )
19137 SRC( movb (%esi), %dl )
19138 -DST( movb %dl, (%edi) )
19139 +DST( movb %dl, %es:(%edi) )
19143 .section .fixup, "ax"
19144 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19145 - movl $-EFAULT, (%ebx)
19146 + movl $-EFAULT, %ss:(%ebx)
19147 # zero the complete destination (computing the rest is too much work)
19148 movl ARGBASE+8(%esp),%edi # dst
19149 movl ARGBASE+12(%esp),%ecx # len
19150 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
19153 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19154 - movl $-EFAULT, (%ebx)
19155 + movl $-EFAULT, %ss:(%ebx)
19159 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19161 + CFI_ADJUST_CFA_OFFSET 4
19163 + CFI_ADJUST_CFA_OFFSET -4
19165 + CFI_ADJUST_CFA_OFFSET 4
19167 + CFI_ADJUST_CFA_OFFSET -4
19171 CFI_ADJUST_CFA_OFFSET -4
19173 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
19177 -ENDPROC(csum_partial_copy_generic)
19178 +ENDPROC(csum_partial_copy_generic_to_user)
19182 diff -urNp linux-2.6.32.43/arch/x86/lib/clear_page_64.S linux-2.6.32.43/arch/x86/lib/clear_page_64.S
19183 --- linux-2.6.32.43/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400
19184 +++ linux-2.6.32.43/arch/x86/lib/clear_page_64.S 2011-04-17 15:56:46.000000000 -0400
19185 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19187 #include <asm/cpufeature.h>
19189 - .section .altinstr_replacement,"ax"
19190 + .section .altinstr_replacement,"a"
19191 1: .byte 0xeb /* jmp <disp8> */
19192 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19194 diff -urNp linux-2.6.32.43/arch/x86/lib/copy_page_64.S linux-2.6.32.43/arch/x86/lib/copy_page_64.S
19195 --- linux-2.6.32.43/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400
19196 +++ linux-2.6.32.43/arch/x86/lib/copy_page_64.S 2011-04-17 15:56:46.000000000 -0400
19197 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19199 #include <asm/cpufeature.h>
19201 - .section .altinstr_replacement,"ax"
19202 + .section .altinstr_replacement,"a"
19203 1: .byte 0xeb /* jmp <disp8> */
19204 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19206 diff -urNp linux-2.6.32.43/arch/x86/lib/copy_user_64.S linux-2.6.32.43/arch/x86/lib/copy_user_64.S
19207 --- linux-2.6.32.43/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400
19208 +++ linux-2.6.32.43/arch/x86/lib/copy_user_64.S 2011-06-25 12:56:37.000000000 -0400
19209 @@ -15,13 +15,14 @@
19210 #include <asm/asm-offsets.h>
19211 #include <asm/thread_info.h>
19212 #include <asm/cpufeature.h>
19213 +#include <asm/pgtable.h>
19215 .macro ALTERNATIVE_JUMP feature,orig,alt
19217 .byte 0xe9 /* 32bit jump */
19218 .long \orig-1f /* by default jump to orig */
19220 - .section .altinstr_replacement,"ax"
19221 + .section .altinstr_replacement,"a"
19222 2: .byte 0xe9 /* near jump with 32bit immediate */
19223 .long \alt-1b /* offset */ /* or alternatively to alt */
19225 @@ -64,49 +65,19 @@
19229 -/* Standard copy_to_user with segment limit checking */
19230 -ENTRY(copy_to_user)
19232 - GET_THREAD_INFO(%rax)
19236 - cmpq TI_addr_limit(%rax),%rcx
19238 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19240 -ENDPROC(copy_to_user)
19242 -/* Standard copy_from_user with segment limit checking */
19243 -ENTRY(copy_from_user)
19245 - GET_THREAD_INFO(%rax)
19249 - cmpq TI_addr_limit(%rax),%rcx
19251 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19253 -ENDPROC(copy_from_user)
19255 ENTRY(copy_user_generic)
19257 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19259 ENDPROC(copy_user_generic)
19261 -ENTRY(__copy_from_user_inatomic)
19263 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19265 -ENDPROC(__copy_from_user_inatomic)
19267 .section .fixup,"ax"
19268 /* must zero dest */
19269 ENTRY(bad_from_user)
19277 diff -urNp linux-2.6.32.43/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.43/arch/x86/lib/copy_user_nocache_64.S
19278 --- linux-2.6.32.43/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400
19279 +++ linux-2.6.32.43/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:56:46.000000000 -0400
19281 #include <asm/current.h>
19282 #include <asm/asm-offsets.h>
19283 #include <asm/thread_info.h>
19284 +#include <asm/pgtable.h>
19286 .macro ALIGN_DESTINATION
19287 #ifdef FIX_ALIGNMENT
19290 ENTRY(__copy_user_nocache)
19293 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19294 + mov $PAX_USER_SHADOW_BASE,%rcx
19302 jb 20f /* less then 8 bytes, go to byte copy loop */
19304 diff -urNp linux-2.6.32.43/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.43/arch/x86/lib/csum-wrappers_64.c
19305 --- linux-2.6.32.43/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400
19306 +++ linux-2.6.32.43/arch/x86/lib/csum-wrappers_64.c 2011-05-04 17:56:20.000000000 -0400
19307 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19312 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19313 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19314 + src += PAX_USER_SHADOW_BASE;
19317 isum = csum_partial_copy_generic((__force const void *)src,
19318 dst, len, isum, errp, NULL);
19319 if (unlikely(*errp))
19320 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19325 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19326 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19327 + dst += PAX_USER_SHADOW_BASE;
19330 return csum_partial_copy_generic(src, (void __force *)dst,
19331 len, isum, NULL, errp);
19333 diff -urNp linux-2.6.32.43/arch/x86/lib/getuser.S linux-2.6.32.43/arch/x86/lib/getuser.S
19334 --- linux-2.6.32.43/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400
19335 +++ linux-2.6.32.43/arch/x86/lib/getuser.S 2011-04-17 15:56:46.000000000 -0400
19336 @@ -33,14 +33,35 @@
19337 #include <asm/asm-offsets.h>
19338 #include <asm/thread_info.h>
19339 #include <asm/asm.h>
19340 +#include <asm/segment.h>
19341 +#include <asm/pgtable.h>
19343 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19344 +#define __copyuser_seg gs;
19346 +#define __copyuser_seg
19350 ENTRY(__get_user_1)
19353 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19354 GET_THREAD_INFO(%_ASM_DX)
19355 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19357 -1: movzb (%_ASM_AX),%edx
19359 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19360 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19361 + cmp %_ASM_DX,%_ASM_AX
19363 + add %_ASM_DX,%_ASM_AX
19369 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19373 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19374 ENTRY(__get_user_2)
19378 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19380 GET_THREAD_INFO(%_ASM_DX)
19381 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19383 -2: movzwl -1(%_ASM_AX),%edx
19385 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19386 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19387 + cmp %_ASM_DX,%_ASM_AX
19389 + add %_ASM_DX,%_ASM_AX
19395 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19399 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19400 ENTRY(__get_user_4)
19404 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19406 GET_THREAD_INFO(%_ASM_DX)
19407 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19409 -3: mov -3(%_ASM_AX),%edx
19411 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19412 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19413 + cmp %_ASM_DX,%_ASM_AX
19415 + add %_ASM_DX,%_ASM_AX
19421 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
19425 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
19426 GET_THREAD_INFO(%_ASM_DX)
19427 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19430 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19431 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19432 + cmp %_ASM_DX,%_ASM_AX
19434 + add %_ASM_DX,%_ASM_AX
19438 4: movq -7(%_ASM_AX),%_ASM_DX
19441 diff -urNp linux-2.6.32.43/arch/x86/lib/memcpy_64.S linux-2.6.32.43/arch/x86/lib/memcpy_64.S
19442 --- linux-2.6.32.43/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400
19443 +++ linux-2.6.32.43/arch/x86/lib/memcpy_64.S 2011-04-17 15:56:46.000000000 -0400
19444 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
19445 * It is also a lot simpler. Use this when possible:
19448 - .section .altinstr_replacement, "ax"
19449 + .section .altinstr_replacement, "a"
19450 1: .byte 0xeb /* jmp <disp8> */
19451 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
19453 diff -urNp linux-2.6.32.43/arch/x86/lib/memset_64.S linux-2.6.32.43/arch/x86/lib/memset_64.S
19454 --- linux-2.6.32.43/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400
19455 +++ linux-2.6.32.43/arch/x86/lib/memset_64.S 2011-04-17 15:56:46.000000000 -0400
19456 @@ -118,7 +118,7 @@ ENDPROC(__memset)
19458 #include <asm/cpufeature.h>
19460 - .section .altinstr_replacement,"ax"
19461 + .section .altinstr_replacement,"a"
19462 1: .byte 0xeb /* jmp <disp8> */
19463 .byte (memset_c - memset) - (2f - 1b) /* offset */
19465 diff -urNp linux-2.6.32.43/arch/x86/lib/mmx_32.c linux-2.6.32.43/arch/x86/lib/mmx_32.c
19466 --- linux-2.6.32.43/arch/x86/lib/mmx_32.c 2011-03-27 14:31:47.000000000 -0400
19467 +++ linux-2.6.32.43/arch/x86/lib/mmx_32.c 2011-04-17 15:56:46.000000000 -0400
19468 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
19472 + unsigned long cr0;
19474 if (unlikely(in_interrupt()))
19475 return __memcpy(to, from, len);
19476 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
19477 kernel_fpu_begin();
19479 __asm__ __volatile__ (
19480 - "1: prefetch (%0)\n" /* This set is 28 bytes */
19481 - " prefetch 64(%0)\n"
19482 - " prefetch 128(%0)\n"
19483 - " prefetch 192(%0)\n"
19484 - " prefetch 256(%0)\n"
19485 + "1: prefetch (%1)\n" /* This set is 28 bytes */
19486 + " prefetch 64(%1)\n"
19487 + " prefetch 128(%1)\n"
19488 + " prefetch 192(%1)\n"
19489 + " prefetch 256(%1)\n"
19491 ".section .fixup, \"ax\"\n"
19492 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19495 +#ifdef CONFIG_PAX_KERNEXEC
19496 + " movl %%cr0, %0\n"
19497 + " movl %0, %%eax\n"
19498 + " andl $0xFFFEFFFF, %%eax\n"
19499 + " movl %%eax, %%cr0\n"
19502 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19504 +#ifdef CONFIG_PAX_KERNEXEC
19505 + " movl %0, %%cr0\n"
19510 _ASM_EXTABLE(1b, 3b)
19512 + : "=&r" (cr0) : "r" (from) : "ax");
19514 for ( ; i > 5; i--) {
19515 __asm__ __volatile__ (
19516 - "1: prefetch 320(%0)\n"
19517 - "2: movq (%0), %%mm0\n"
19518 - " movq 8(%0), %%mm1\n"
19519 - " movq 16(%0), %%mm2\n"
19520 - " movq 24(%0), %%mm3\n"
19521 - " movq %%mm0, (%1)\n"
19522 - " movq %%mm1, 8(%1)\n"
19523 - " movq %%mm2, 16(%1)\n"
19524 - " movq %%mm3, 24(%1)\n"
19525 - " movq 32(%0), %%mm0\n"
19526 - " movq 40(%0), %%mm1\n"
19527 - " movq 48(%0), %%mm2\n"
19528 - " movq 56(%0), %%mm3\n"
19529 - " movq %%mm0, 32(%1)\n"
19530 - " movq %%mm1, 40(%1)\n"
19531 - " movq %%mm2, 48(%1)\n"
19532 - " movq %%mm3, 56(%1)\n"
19533 + "1: prefetch 320(%1)\n"
19534 + "2: movq (%1), %%mm0\n"
19535 + " movq 8(%1), %%mm1\n"
19536 + " movq 16(%1), %%mm2\n"
19537 + " movq 24(%1), %%mm3\n"
19538 + " movq %%mm0, (%2)\n"
19539 + " movq %%mm1, 8(%2)\n"
19540 + " movq %%mm2, 16(%2)\n"
19541 + " movq %%mm3, 24(%2)\n"
19542 + " movq 32(%1), %%mm0\n"
19543 + " movq 40(%1), %%mm1\n"
19544 + " movq 48(%1), %%mm2\n"
19545 + " movq 56(%1), %%mm3\n"
19546 + " movq %%mm0, 32(%2)\n"
19547 + " movq %%mm1, 40(%2)\n"
19548 + " movq %%mm2, 48(%2)\n"
19549 + " movq %%mm3, 56(%2)\n"
19550 ".section .fixup, \"ax\"\n"
19551 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19554 +#ifdef CONFIG_PAX_KERNEXEC
19555 + " movl %%cr0, %0\n"
19556 + " movl %0, %%eax\n"
19557 + " andl $0xFFFEFFFF, %%eax\n"
19558 + " movl %%eax, %%cr0\n"
19561 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19563 +#ifdef CONFIG_PAX_KERNEXEC
19564 + " movl %0, %%cr0\n"
19569 _ASM_EXTABLE(1b, 3b)
19570 - : : "r" (from), "r" (to) : "memory");
19571 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19575 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
19576 static void fast_copy_page(void *to, void *from)
19579 + unsigned long cr0;
19581 kernel_fpu_begin();
19583 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
19584 * but that is for later. -AV
19586 __asm__ __volatile__(
19587 - "1: prefetch (%0)\n"
19588 - " prefetch 64(%0)\n"
19589 - " prefetch 128(%0)\n"
19590 - " prefetch 192(%0)\n"
19591 - " prefetch 256(%0)\n"
19592 + "1: prefetch (%1)\n"
19593 + " prefetch 64(%1)\n"
19594 + " prefetch 128(%1)\n"
19595 + " prefetch 192(%1)\n"
19596 + " prefetch 256(%1)\n"
19598 ".section .fixup, \"ax\"\n"
19599 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19602 +#ifdef CONFIG_PAX_KERNEXEC
19603 + " movl %%cr0, %0\n"
19604 + " movl %0, %%eax\n"
19605 + " andl $0xFFFEFFFF, %%eax\n"
19606 + " movl %%eax, %%cr0\n"
19609 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19611 +#ifdef CONFIG_PAX_KERNEXEC
19612 + " movl %0, %%cr0\n"
19617 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
19618 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
19620 for (i = 0; i < (4096-320)/64; i++) {
19621 __asm__ __volatile__ (
19622 - "1: prefetch 320(%0)\n"
19623 - "2: movq (%0), %%mm0\n"
19624 - " movntq %%mm0, (%1)\n"
19625 - " movq 8(%0), %%mm1\n"
19626 - " movntq %%mm1, 8(%1)\n"
19627 - " movq 16(%0), %%mm2\n"
19628 - " movntq %%mm2, 16(%1)\n"
19629 - " movq 24(%0), %%mm3\n"
19630 - " movntq %%mm3, 24(%1)\n"
19631 - " movq 32(%0), %%mm4\n"
19632 - " movntq %%mm4, 32(%1)\n"
19633 - " movq 40(%0), %%mm5\n"
19634 - " movntq %%mm5, 40(%1)\n"
19635 - " movq 48(%0), %%mm6\n"
19636 - " movntq %%mm6, 48(%1)\n"
19637 - " movq 56(%0), %%mm7\n"
19638 - " movntq %%mm7, 56(%1)\n"
19639 + "1: prefetch 320(%1)\n"
19640 + "2: movq (%1), %%mm0\n"
19641 + " movntq %%mm0, (%2)\n"
19642 + " movq 8(%1), %%mm1\n"
19643 + " movntq %%mm1, 8(%2)\n"
19644 + " movq 16(%1), %%mm2\n"
19645 + " movntq %%mm2, 16(%2)\n"
19646 + " movq 24(%1), %%mm3\n"
19647 + " movntq %%mm3, 24(%2)\n"
19648 + " movq 32(%1), %%mm4\n"
19649 + " movntq %%mm4, 32(%2)\n"
19650 + " movq 40(%1), %%mm5\n"
19651 + " movntq %%mm5, 40(%2)\n"
19652 + " movq 48(%1), %%mm6\n"
19653 + " movntq %%mm6, 48(%2)\n"
19654 + " movq 56(%1), %%mm7\n"
19655 + " movntq %%mm7, 56(%2)\n"
19656 ".section .fixup, \"ax\"\n"
19657 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19660 +#ifdef CONFIG_PAX_KERNEXEC
19661 + " movl %%cr0, %0\n"
19662 + " movl %0, %%eax\n"
19663 + " andl $0xFFFEFFFF, %%eax\n"
19664 + " movl %%eax, %%cr0\n"
19667 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19669 +#ifdef CONFIG_PAX_KERNEXEC
19670 + " movl %0, %%cr0\n"
19675 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
19676 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19680 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
19681 static void fast_copy_page(void *to, void *from)
19684 + unsigned long cr0;
19686 kernel_fpu_begin();
19688 __asm__ __volatile__ (
19689 - "1: prefetch (%0)\n"
19690 - " prefetch 64(%0)\n"
19691 - " prefetch 128(%0)\n"
19692 - " prefetch 192(%0)\n"
19693 - " prefetch 256(%0)\n"
19694 + "1: prefetch (%1)\n"
19695 + " prefetch 64(%1)\n"
19696 + " prefetch 128(%1)\n"
19697 + " prefetch 192(%1)\n"
19698 + " prefetch 256(%1)\n"
19700 ".section .fixup, \"ax\"\n"
19701 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19704 +#ifdef CONFIG_PAX_KERNEXEC
19705 + " movl %%cr0, %0\n"
19706 + " movl %0, %%eax\n"
19707 + " andl $0xFFFEFFFF, %%eax\n"
19708 + " movl %%eax, %%cr0\n"
19711 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19713 +#ifdef CONFIG_PAX_KERNEXEC
19714 + " movl %0, %%cr0\n"
19719 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
19720 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
19722 for (i = 0; i < 4096/64; i++) {
19723 __asm__ __volatile__ (
19724 - "1: prefetch 320(%0)\n"
19725 - "2: movq (%0), %%mm0\n"
19726 - " movq 8(%0), %%mm1\n"
19727 - " movq 16(%0), %%mm2\n"
19728 - " movq 24(%0), %%mm3\n"
19729 - " movq %%mm0, (%1)\n"
19730 - " movq %%mm1, 8(%1)\n"
19731 - " movq %%mm2, 16(%1)\n"
19732 - " movq %%mm3, 24(%1)\n"
19733 - " movq 32(%0), %%mm0\n"
19734 - " movq 40(%0), %%mm1\n"
19735 - " movq 48(%0), %%mm2\n"
19736 - " movq 56(%0), %%mm3\n"
19737 - " movq %%mm0, 32(%1)\n"
19738 - " movq %%mm1, 40(%1)\n"
19739 - " movq %%mm2, 48(%1)\n"
19740 - " movq %%mm3, 56(%1)\n"
19741 + "1: prefetch 320(%1)\n"
19742 + "2: movq (%1), %%mm0\n"
19743 + " movq 8(%1), %%mm1\n"
19744 + " movq 16(%1), %%mm2\n"
19745 + " movq 24(%1), %%mm3\n"
19746 + " movq %%mm0, (%2)\n"
19747 + " movq %%mm1, 8(%2)\n"
19748 + " movq %%mm2, 16(%2)\n"
19749 + " movq %%mm3, 24(%2)\n"
19750 + " movq 32(%1), %%mm0\n"
19751 + " movq 40(%1), %%mm1\n"
19752 + " movq 48(%1), %%mm2\n"
19753 + " movq 56(%1), %%mm3\n"
19754 + " movq %%mm0, 32(%2)\n"
19755 + " movq %%mm1, 40(%2)\n"
19756 + " movq %%mm2, 48(%2)\n"
19757 + " movq %%mm3, 56(%2)\n"
19758 ".section .fixup, \"ax\"\n"
19759 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19762 +#ifdef CONFIG_PAX_KERNEXEC
19763 + " movl %%cr0, %0\n"
19764 + " movl %0, %%eax\n"
19765 + " andl $0xFFFEFFFF, %%eax\n"
19766 + " movl %%eax, %%cr0\n"
19769 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19771 +#ifdef CONFIG_PAX_KERNEXEC
19772 + " movl %0, %%cr0\n"
19777 _ASM_EXTABLE(1b, 3b)
19778 - : : "r" (from), "r" (to) : "memory");
19779 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19783 diff -urNp linux-2.6.32.43/arch/x86/lib/putuser.S linux-2.6.32.43/arch/x86/lib/putuser.S
19784 --- linux-2.6.32.43/arch/x86/lib/putuser.S 2011-03-27 14:31:47.000000000 -0400
19785 +++ linux-2.6.32.43/arch/x86/lib/putuser.S 2011-04-17 15:56:46.000000000 -0400
19787 #include <asm/thread_info.h>
19788 #include <asm/errno.h>
19789 #include <asm/asm.h>
19791 +#include <asm/segment.h>
19792 +#include <asm/pgtable.h>
19796 @@ -29,52 +30,119 @@
19797 * as they get called from within inline assembly.
19800 -#define ENTER CFI_STARTPROC ; \
19801 - GET_THREAD_INFO(%_ASM_BX)
19802 +#define ENTER CFI_STARTPROC
19803 #define EXIT ret ; \
19806 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19807 +#define _DEST %_ASM_CX,%_ASM_BX
19809 +#define _DEST %_ASM_CX
19812 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19813 +#define __copyuser_seg gs;
19815 +#define __copyuser_seg
19819 ENTRY(__put_user_1)
19822 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19823 + GET_THREAD_INFO(%_ASM_BX)
19824 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
19826 -1: movb %al,(%_ASM_CX)
19828 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19829 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19830 + cmp %_ASM_BX,%_ASM_CX
19838 +1: __copyuser_seg movb %al,(_DEST)
19841 ENDPROC(__put_user_1)
19843 ENTRY(__put_user_2)
19846 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19847 + GET_THREAD_INFO(%_ASM_BX)
19848 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19850 cmp %_ASM_BX,%_ASM_CX
19852 -2: movw %ax,(%_ASM_CX)
19854 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19855 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19856 + cmp %_ASM_BX,%_ASM_CX
19864 +2: __copyuser_seg movw %ax,(_DEST)
19867 ENDPROC(__put_user_2)
19869 ENTRY(__put_user_4)
19872 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19873 + GET_THREAD_INFO(%_ASM_BX)
19874 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19876 cmp %_ASM_BX,%_ASM_CX
19878 -3: movl %eax,(%_ASM_CX)
19880 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19881 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19882 + cmp %_ASM_BX,%_ASM_CX
19890 +3: __copyuser_seg movl %eax,(_DEST)
19893 ENDPROC(__put_user_4)
19895 ENTRY(__put_user_8)
19898 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19899 + GET_THREAD_INFO(%_ASM_BX)
19900 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19902 cmp %_ASM_BX,%_ASM_CX
19904 -4: mov %_ASM_AX,(%_ASM_CX)
19906 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19907 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19908 + cmp %_ASM_BX,%_ASM_CX
19916 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
19917 #ifdef CONFIG_X86_32
19918 -5: movl %edx,4(%_ASM_CX)
19919 +5: __copyuser_seg movl %edx,4(_DEST)
19923 diff -urNp linux-2.6.32.43/arch/x86/lib/usercopy_32.c linux-2.6.32.43/arch/x86/lib/usercopy_32.c
19924 --- linux-2.6.32.43/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400
19925 +++ linux-2.6.32.43/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400
19926 @@ -43,7 +43,7 @@ do { \
19927 __asm__ __volatile__( \
19931 + "0: "__copyuser_seg"lodsb\n" \
19933 " testb %%al,%%al\n" \
19935 @@ -128,10 +128,12 @@ do { \
19938 __asm__ __volatile__( \
19939 + __COPYUSER_SET_ES \
19940 "0: rep; stosl\n" \
19942 "1: rep; stosb\n" \
19944 + __COPYUSER_RESTORE_ES \
19945 ".section .fixup,\"ax\"\n" \
19946 "3: lea 0(%2,%0,4),%0\n" \
19948 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
19951 __asm__ __volatile__(
19952 + __COPYUSER_SET_ES
19956 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
19960 + __COPYUSER_RESTORE_ES
19961 ".section .fixup,\"ax\"\n"
19962 "2: xorl %%eax,%%eax\n"
19964 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
19966 #ifdef CONFIG_X86_INTEL_USERCOPY
19967 static unsigned long
19968 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
19969 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
19972 __asm__ __volatile__(
19973 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
19975 "3: movl 0(%4), %%eax\n"
19976 "4: movl 4(%4), %%edx\n"
19977 - "5: movl %%eax, 0(%3)\n"
19978 - "6: movl %%edx, 4(%3)\n"
19979 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
19980 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
19981 "7: movl 8(%4), %%eax\n"
19982 "8: movl 12(%4),%%edx\n"
19983 - "9: movl %%eax, 8(%3)\n"
19984 - "10: movl %%edx, 12(%3)\n"
19985 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
19986 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
19987 "11: movl 16(%4), %%eax\n"
19988 "12: movl 20(%4), %%edx\n"
19989 - "13: movl %%eax, 16(%3)\n"
19990 - "14: movl %%edx, 20(%3)\n"
19991 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
19992 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
19993 "15: movl 24(%4), %%eax\n"
19994 "16: movl 28(%4), %%edx\n"
19995 - "17: movl %%eax, 24(%3)\n"
19996 - "18: movl %%edx, 28(%3)\n"
19997 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
19998 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
19999 "19: movl 32(%4), %%eax\n"
20000 "20: movl 36(%4), %%edx\n"
20001 - "21: movl %%eax, 32(%3)\n"
20002 - "22: movl %%edx, 36(%3)\n"
20003 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20004 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20005 "23: movl 40(%4), %%eax\n"
20006 "24: movl 44(%4), %%edx\n"
20007 - "25: movl %%eax, 40(%3)\n"
20008 - "26: movl %%edx, 44(%3)\n"
20009 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20010 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20011 "27: movl 48(%4), %%eax\n"
20012 "28: movl 52(%4), %%edx\n"
20013 - "29: movl %%eax, 48(%3)\n"
20014 - "30: movl %%edx, 52(%3)\n"
20015 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20016 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20017 "31: movl 56(%4), %%eax\n"
20018 "32: movl 60(%4), %%edx\n"
20019 - "33: movl %%eax, 56(%3)\n"
20020 - "34: movl %%edx, 60(%3)\n"
20021 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20022 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20026 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20028 " andl $3, %%eax\n"
20030 + __COPYUSER_SET_ES
20032 "36: movl %%eax, %0\n"
20035 + __COPYUSER_RESTORE_ES
20036 + ".section .fixup,\"ax\"\n"
20037 + "101: lea 0(%%eax,%0,4),%0\n"
20040 + ".section __ex_table,\"a\"\n"
20042 + " .long 1b,100b\n"
20043 + " .long 2b,100b\n"
20044 + " .long 3b,100b\n"
20045 + " .long 4b,100b\n"
20046 + " .long 5b,100b\n"
20047 + " .long 6b,100b\n"
20048 + " .long 7b,100b\n"
20049 + " .long 8b,100b\n"
20050 + " .long 9b,100b\n"
20051 + " .long 10b,100b\n"
20052 + " .long 11b,100b\n"
20053 + " .long 12b,100b\n"
20054 + " .long 13b,100b\n"
20055 + " .long 14b,100b\n"
20056 + " .long 15b,100b\n"
20057 + " .long 16b,100b\n"
20058 + " .long 17b,100b\n"
20059 + " .long 18b,100b\n"
20060 + " .long 19b,100b\n"
20061 + " .long 20b,100b\n"
20062 + " .long 21b,100b\n"
20063 + " .long 22b,100b\n"
20064 + " .long 23b,100b\n"
20065 + " .long 24b,100b\n"
20066 + " .long 25b,100b\n"
20067 + " .long 26b,100b\n"
20068 + " .long 27b,100b\n"
20069 + " .long 28b,100b\n"
20070 + " .long 29b,100b\n"
20071 + " .long 30b,100b\n"
20072 + " .long 31b,100b\n"
20073 + " .long 32b,100b\n"
20074 + " .long 33b,100b\n"
20075 + " .long 34b,100b\n"
20076 + " .long 35b,100b\n"
20077 + " .long 36b,100b\n"
20078 + " .long 37b,100b\n"
20079 + " .long 99b,101b\n"
20081 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20082 + : "1"(to), "2"(from), "0"(size)
20083 + : "eax", "edx", "memory");
20087 +static unsigned long
20088 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20091 + __asm__ __volatile__(
20092 + " .align 2,0x90\n"
20093 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20094 + " cmpl $67, %0\n"
20096 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20097 + " .align 2,0x90\n"
20098 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20099 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20100 + "5: movl %%eax, 0(%3)\n"
20101 + "6: movl %%edx, 4(%3)\n"
20102 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20103 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20104 + "9: movl %%eax, 8(%3)\n"
20105 + "10: movl %%edx, 12(%3)\n"
20106 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20107 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20108 + "13: movl %%eax, 16(%3)\n"
20109 + "14: movl %%edx, 20(%3)\n"
20110 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20111 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20112 + "17: movl %%eax, 24(%3)\n"
20113 + "18: movl %%edx, 28(%3)\n"
20114 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20115 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20116 + "21: movl %%eax, 32(%3)\n"
20117 + "22: movl %%edx, 36(%3)\n"
20118 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20119 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20120 + "25: movl %%eax, 40(%3)\n"
20121 + "26: movl %%edx, 44(%3)\n"
20122 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20123 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20124 + "29: movl %%eax, 48(%3)\n"
20125 + "30: movl %%edx, 52(%3)\n"
20126 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20127 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20128 + "33: movl %%eax, 56(%3)\n"
20129 + "34: movl %%edx, 60(%3)\n"
20130 + " addl $-64, %0\n"
20131 + " addl $64, %4\n"
20132 + " addl $64, %3\n"
20133 + " cmpl $63, %0\n"
20135 + "35: movl %0, %%eax\n"
20137 + " andl $3, %%eax\n"
20139 + "99: rep; "__copyuser_seg" movsl\n"
20140 + "36: movl %%eax, %0\n"
20141 + "37: rep; "__copyuser_seg" movsb\n"
20143 ".section .fixup,\"ax\"\n"
20144 "101: lea 0(%%eax,%0,4),%0\n"
20146 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20148 __asm__ __volatile__(
20150 - "0: movl 32(%4), %%eax\n"
20151 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20154 - "1: movl 64(%4), %%eax\n"
20155 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20157 - "2: movl 0(%4), %%eax\n"
20158 - "21: movl 4(%4), %%edx\n"
20159 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20160 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20161 " movl %%eax, 0(%3)\n"
20162 " movl %%edx, 4(%3)\n"
20163 - "3: movl 8(%4), %%eax\n"
20164 - "31: movl 12(%4),%%edx\n"
20165 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20166 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20167 " movl %%eax, 8(%3)\n"
20168 " movl %%edx, 12(%3)\n"
20169 - "4: movl 16(%4), %%eax\n"
20170 - "41: movl 20(%4), %%edx\n"
20171 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20172 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20173 " movl %%eax, 16(%3)\n"
20174 " movl %%edx, 20(%3)\n"
20175 - "10: movl 24(%4), %%eax\n"
20176 - "51: movl 28(%4), %%edx\n"
20177 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20178 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20179 " movl %%eax, 24(%3)\n"
20180 " movl %%edx, 28(%3)\n"
20181 - "11: movl 32(%4), %%eax\n"
20182 - "61: movl 36(%4), %%edx\n"
20183 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20184 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20185 " movl %%eax, 32(%3)\n"
20186 " movl %%edx, 36(%3)\n"
20187 - "12: movl 40(%4), %%eax\n"
20188 - "71: movl 44(%4), %%edx\n"
20189 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20190 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20191 " movl %%eax, 40(%3)\n"
20192 " movl %%edx, 44(%3)\n"
20193 - "13: movl 48(%4), %%eax\n"
20194 - "81: movl 52(%4), %%edx\n"
20195 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20196 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20197 " movl %%eax, 48(%3)\n"
20198 " movl %%edx, 52(%3)\n"
20199 - "14: movl 56(%4), %%eax\n"
20200 - "91: movl 60(%4), %%edx\n"
20201 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20202 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20203 " movl %%eax, 56(%3)\n"
20204 " movl %%edx, 60(%3)\n"
20206 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20208 " andl $3, %%eax\n"
20210 - "6: rep; movsl\n"
20211 + "6: rep; "__copyuser_seg" movsl\n"
20213 - "7: rep; movsb\n"
20214 + "7: rep; "__copyuser_seg" movsb\n"
20216 ".section .fixup,\"ax\"\n"
20217 "9: lea 0(%%eax,%0,4),%0\n"
20218 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20220 __asm__ __volatile__(
20222 - "0: movl 32(%4), %%eax\n"
20223 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20226 - "1: movl 64(%4), %%eax\n"
20227 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20229 - "2: movl 0(%4), %%eax\n"
20230 - "21: movl 4(%4), %%edx\n"
20231 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20232 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20233 " movnti %%eax, 0(%3)\n"
20234 " movnti %%edx, 4(%3)\n"
20235 - "3: movl 8(%4), %%eax\n"
20236 - "31: movl 12(%4),%%edx\n"
20237 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20238 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20239 " movnti %%eax, 8(%3)\n"
20240 " movnti %%edx, 12(%3)\n"
20241 - "4: movl 16(%4), %%eax\n"
20242 - "41: movl 20(%4), %%edx\n"
20243 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20244 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20245 " movnti %%eax, 16(%3)\n"
20246 " movnti %%edx, 20(%3)\n"
20247 - "10: movl 24(%4), %%eax\n"
20248 - "51: movl 28(%4), %%edx\n"
20249 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20250 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20251 " movnti %%eax, 24(%3)\n"
20252 " movnti %%edx, 28(%3)\n"
20253 - "11: movl 32(%4), %%eax\n"
20254 - "61: movl 36(%4), %%edx\n"
20255 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20256 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20257 " movnti %%eax, 32(%3)\n"
20258 " movnti %%edx, 36(%3)\n"
20259 - "12: movl 40(%4), %%eax\n"
20260 - "71: movl 44(%4), %%edx\n"
20261 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20262 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20263 " movnti %%eax, 40(%3)\n"
20264 " movnti %%edx, 44(%3)\n"
20265 - "13: movl 48(%4), %%eax\n"
20266 - "81: movl 52(%4), %%edx\n"
20267 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20268 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20269 " movnti %%eax, 48(%3)\n"
20270 " movnti %%edx, 52(%3)\n"
20271 - "14: movl 56(%4), %%eax\n"
20272 - "91: movl 60(%4), %%edx\n"
20273 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20274 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20275 " movnti %%eax, 56(%3)\n"
20276 " movnti %%edx, 60(%3)\n"
20278 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20280 " andl $3, %%eax\n"
20282 - "6: rep; movsl\n"
20283 + "6: rep; "__copyuser_seg" movsl\n"
20285 - "7: rep; movsb\n"
20286 + "7: rep; "__copyuser_seg" movsb\n"
20288 ".section .fixup,\"ax\"\n"
20289 "9: lea 0(%%eax,%0,4),%0\n"
20290 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20292 __asm__ __volatile__(
20294 - "0: movl 32(%4), %%eax\n"
20295 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20298 - "1: movl 64(%4), %%eax\n"
20299 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20301 - "2: movl 0(%4), %%eax\n"
20302 - "21: movl 4(%4), %%edx\n"
20303 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20304 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20305 " movnti %%eax, 0(%3)\n"
20306 " movnti %%edx, 4(%3)\n"
20307 - "3: movl 8(%4), %%eax\n"
20308 - "31: movl 12(%4),%%edx\n"
20309 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20310 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20311 " movnti %%eax, 8(%3)\n"
20312 " movnti %%edx, 12(%3)\n"
20313 - "4: movl 16(%4), %%eax\n"
20314 - "41: movl 20(%4), %%edx\n"
20315 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20316 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20317 " movnti %%eax, 16(%3)\n"
20318 " movnti %%edx, 20(%3)\n"
20319 - "10: movl 24(%4), %%eax\n"
20320 - "51: movl 28(%4), %%edx\n"
20321 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20322 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20323 " movnti %%eax, 24(%3)\n"
20324 " movnti %%edx, 28(%3)\n"
20325 - "11: movl 32(%4), %%eax\n"
20326 - "61: movl 36(%4), %%edx\n"
20327 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20328 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20329 " movnti %%eax, 32(%3)\n"
20330 " movnti %%edx, 36(%3)\n"
20331 - "12: movl 40(%4), %%eax\n"
20332 - "71: movl 44(%4), %%edx\n"
20333 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20334 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20335 " movnti %%eax, 40(%3)\n"
20336 " movnti %%edx, 44(%3)\n"
20337 - "13: movl 48(%4), %%eax\n"
20338 - "81: movl 52(%4), %%edx\n"
20339 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20340 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20341 " movnti %%eax, 48(%3)\n"
20342 " movnti %%edx, 52(%3)\n"
20343 - "14: movl 56(%4), %%eax\n"
20344 - "91: movl 60(%4), %%edx\n"
20345 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20346 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20347 " movnti %%eax, 56(%3)\n"
20348 " movnti %%edx, 60(%3)\n"
20350 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20352 " andl $3, %%eax\n"
20354 - "6: rep; movsl\n"
20355 + "6: rep; "__copyuser_seg" movsl\n"
20357 - "7: rep; movsb\n"
20358 + "7: rep; "__copyuser_seg" movsb\n"
20360 ".section .fixup,\"ax\"\n"
20361 "9: lea 0(%%eax,%0,4),%0\n"
20362 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20364 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20365 unsigned long size);
20366 -unsigned long __copy_user_intel(void __user *to, const void *from,
20367 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20368 + unsigned long size);
20369 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20370 unsigned long size);
20371 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20372 const void __user *from, unsigned long size);
20373 #endif /* CONFIG_X86_INTEL_USERCOPY */
20375 /* Generic arbitrary sized copy. */
20376 -#define __copy_user(to, from, size) \
20377 +#define __copy_user(to, from, size, prefix, set, restore) \
20379 int __d0, __d1, __d2; \
20380 __asm__ __volatile__( \
20388 - "4: rep; movsb\n" \
20389 + "4: rep; "prefix"movsb\n" \
20393 " .align 2,0x90\n" \
20394 - "0: rep; movsl\n" \
20395 + "0: rep; "prefix"movsl\n" \
20397 - "1: rep; movsb\n" \
20398 + "1: rep; "prefix"movsb\n" \
20401 ".section .fixup,\"ax\"\n" \
20402 "5: addl %3,%0\n" \
20404 @@ -682,14 +799,14 @@ do { \
20408 - "4: rep; movsb\n" \
20409 + "4: rep; "__copyuser_seg"movsb\n" \
20413 " .align 2,0x90\n" \
20414 - "0: rep; movsl\n" \
20415 + "0: rep; "__copyuser_seg"movsl\n" \
20417 - "1: rep; movsb\n" \
20418 + "1: rep; "__copyuser_seg"movsb\n" \
20420 ".section .fixup,\"ax\"\n" \
20421 "5: addl %3,%0\n" \
20422 @@ -775,9 +892,9 @@ survive:
20425 if (movsl_is_ok(to, from, n))
20426 - __copy_user(to, from, n);
20427 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
20429 - n = __copy_user_intel(to, from, n);
20430 + n = __generic_copy_to_user_intel(to, from, n);
20433 EXPORT_SYMBOL(__copy_to_user_ll);
20434 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
20437 if (movsl_is_ok(to, from, n))
20438 - __copy_user(to, from, n);
20439 + __copy_user(to, from, n, __copyuser_seg, "", "");
20441 - n = __copy_user_intel((void __user *)to,
20442 - (const void *)from, n);
20443 + n = __generic_copy_from_user_intel(to, from, n);
20446 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
20447 @@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
20448 if (n > 64 && cpu_has_xmm2)
20449 n = __copy_user_intel_nocache(to, from, n);
20451 - __copy_user(to, from, n);
20452 + __copy_user(to, from, n, __copyuser_seg, "", "");
20454 - __copy_user(to, from, n);
20455 + __copy_user(to, from, n, __copyuser_seg, "", "");
20459 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
20462 - * copy_to_user: - Copy a block of data into user space.
20463 - * @to: Destination address, in user space.
20464 - * @from: Source address, in kernel space.
20465 - * @n: Number of bytes to copy.
20467 - * Context: User context only. This function may sleep.
20469 - * Copy data from kernel space to user space.
20471 - * Returns number of bytes that could not be copied.
20472 - * On success, this will be zero.
20475 -copy_to_user(void __user *to, const void *from, unsigned long n)
20476 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20477 +void __set_fs(mm_segment_t x)
20479 - if (access_ok(VERIFY_WRITE, to, n))
20480 - n = __copy_to_user(to, from, n);
20484 + loadsegment(gs, 0);
20486 + case TASK_SIZE_MAX:
20487 + loadsegment(gs, __USER_DS);
20490 + loadsegment(gs, __KERNEL_DS);
20497 -EXPORT_SYMBOL(copy_to_user);
20498 +EXPORT_SYMBOL(__set_fs);
20501 - * copy_from_user: - Copy a block of data from user space.
20502 - * @to: Destination address, in kernel space.
20503 - * @from: Source address, in user space.
20504 - * @n: Number of bytes to copy.
20506 - * Context: User context only. This function may sleep.
20508 - * Copy data from user space to kernel space.
20510 - * Returns number of bytes that could not be copied.
20511 - * On success, this will be zero.
20513 - * If some data could not be copied, this function will pad the copied
20514 - * data to the requested size using zero bytes.
20517 -copy_from_user(void *to, const void __user *from, unsigned long n)
20518 +void set_fs(mm_segment_t x)
20520 - if (access_ok(VERIFY_READ, from, n))
20521 - n = __copy_from_user(to, from, n);
20523 - memset(to, 0, n);
20525 + current_thread_info()->addr_limit = x;
20528 -EXPORT_SYMBOL(copy_from_user);
20529 +EXPORT_SYMBOL(set_fs);
20531 diff -urNp linux-2.6.32.43/arch/x86/lib/usercopy_64.c linux-2.6.32.43/arch/x86/lib/usercopy_64.c
20532 --- linux-2.6.32.43/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
20533 +++ linux-2.6.32.43/arch/x86/lib/usercopy_64.c 2011-05-04 17:56:20.000000000 -0400
20534 @@ -42,6 +42,12 @@ long
20535 __strncpy_from_user(char *dst, const char __user *src, long count)
20539 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20540 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20541 + src += PAX_USER_SHADOW_BASE;
20544 __do_strncpy_from_user(dst, src, count, res);
20547 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
20552 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20553 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
20554 + addr += PAX_USER_SHADOW_BASE;
20557 /* no memory constraint because it doesn't change any memory gcc knows
20560 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
20562 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
20564 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20565 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20567 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20568 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
20569 + to += PAX_USER_SHADOW_BASE;
20570 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
20571 + from += PAX_USER_SHADOW_BASE;
20574 return copy_user_generic((__force void *)to, (__force void *)from, len);
20580 EXPORT_SYMBOL(copy_in_user);
20582 diff -urNp linux-2.6.32.43/arch/x86/Makefile linux-2.6.32.43/arch/x86/Makefile
20583 --- linux-2.6.32.43/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400
20584 +++ linux-2.6.32.43/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -0400
20585 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
20588 UTS_MACHINE := x86_64
20589 + biarch := $(call cc-option,-m64)
20590 CHECKFLAGS += -D__x86_64__ -m64
20592 KBUILD_AFLAGS += -m64
20593 @@ -189,3 +190,12 @@ define archhelp
20594 echo ' FDARGS="..." arguments for the booted kernel'
20595 echo ' FDINITRD=file initrd for the booted kernel'
20600 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
20601 +*** Please upgrade your binutils to 2.18 or newer
20605 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
20606 diff -urNp linux-2.6.32.43/arch/x86/mm/extable.c linux-2.6.32.43/arch/x86/mm/extable.c
20607 --- linux-2.6.32.43/arch/x86/mm/extable.c 2011-03-27 14:31:47.000000000 -0400
20608 +++ linux-2.6.32.43/arch/x86/mm/extable.c 2011-04-17 15:56:46.000000000 -0400
20610 #include <linux/module.h>
20611 #include <linux/spinlock.h>
20612 +#include <linux/sort.h>
20613 #include <asm/uaccess.h>
20614 +#include <asm/pgtable.h>
20617 + * The exception table needs to be sorted so that the binary
20618 + * search that we use to find entries in it works properly.
20619 + * This is used both for the kernel exception table and for
20620 + * the exception tables of modules that get loaded.
20622 +static int cmp_ex(const void *a, const void *b)
20624 + const struct exception_table_entry *x = a, *y = b;
20626 + /* avoid overflow */
20627 + if (x->insn > y->insn)
20629 + if (x->insn < y->insn)
20634 +static void swap_ex(void *a, void *b, int size)
20636 + struct exception_table_entry t, *x = a, *y = b;
20640 + pax_open_kernel();
20643 + pax_close_kernel();
20646 +void sort_extable(struct exception_table_entry *start,
20647 + struct exception_table_entry *finish)
20649 + sort(start, finish - start, sizeof(struct exception_table_entry),
20650 + cmp_ex, swap_ex);
20653 +#ifdef CONFIG_MODULES
20655 + * If the exception table is sorted, any referring to the module init
20656 + * will be at the beginning or the end.
20658 +void trim_init_extable(struct module *m)
20660 + /*trim the beginning*/
20661 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
20663 + m->num_exentries--;
20666 + while (m->num_exentries &&
20667 + within_module_init(m->extable[m->num_exentries-1].insn, m))
20668 + m->num_exentries--;
20670 +#endif /* CONFIG_MODULES */
20672 int fixup_exception(struct pt_regs *regs)
20674 const struct exception_table_entry *fixup;
20676 #ifdef CONFIG_PNPBIOS
20677 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
20678 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
20679 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
20680 extern u32 pnp_bios_is_utter_crap;
20681 pnp_bios_is_utter_crap = 1;
20682 diff -urNp linux-2.6.32.43/arch/x86/mm/fault.c linux-2.6.32.43/arch/x86/mm/fault.c
20683 --- linux-2.6.32.43/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
20684 +++ linux-2.6.32.43/arch/x86/mm/fault.c 2011-06-06 17:35:16.000000000 -0400
20685 @@ -11,10 +11,19 @@
20686 #include <linux/kprobes.h> /* __kprobes, ... */
20687 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
20688 #include <linux/perf_event.h> /* perf_sw_event */
20689 +#include <linux/unistd.h>
20690 +#include <linux/compiler.h>
20692 #include <asm/traps.h> /* dotraplinkage, ... */
20693 #include <asm/pgalloc.h> /* pgd_*(), ... */
20694 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
20695 +#include <asm/vsyscall.h>
20696 +#include <asm/tlbflush.h>
20698 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20699 +#include <asm/stacktrace.h>
20700 +#include "../kernel/dumpstack.h"
20704 * Page fault error code bits:
20705 @@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
20708 /* kprobe_running() needs smp_processor_id() */
20709 - if (kprobes_built_in() && !user_mode_vm(regs)) {
20710 + if (kprobes_built_in() && !user_mode(regs)) {
20712 if (kprobe_running() && kprobe_fault_handler(regs, 14))
20714 @@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
20715 return !instr_lo || (instr_lo>>1) == 1;
20717 /* Prefetch instruction is 0x0F0D or 0x0F18 */
20718 - if (probe_kernel_address(instr, opcode))
20719 + if (user_mode(regs)) {
20720 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
20722 + } else if (probe_kernel_address(instr, opcode))
20725 *prefetch = (instr_lo == 0xF) &&
20726 @@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
20727 while (instr < max_instr) {
20728 unsigned char opcode;
20730 - if (probe_kernel_address(instr, opcode))
20731 + if (user_mode(regs)) {
20732 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
20734 + } else if (probe_kernel_address(instr, opcode))
20738 @@ -172,6 +187,30 @@ force_sig_info_fault(int si_signo, int s
20739 force_sig_info(si_signo, &info, tsk);
20742 +#ifdef CONFIG_PAX_EMUTRAMP
20743 +static int pax_handle_fetch_fault(struct pt_regs *regs);
20746 +#ifdef CONFIG_PAX_PAGEEXEC
20747 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
20753 + pgd = pgd_offset(mm, address);
20754 + if (!pgd_present(*pgd))
20756 + pud = pud_offset(pgd, address);
20757 + if (!pud_present(*pud))
20759 + pmd = pmd_offset(pud, address);
20760 + if (!pmd_present(*pmd))
20766 DEFINE_SPINLOCK(pgd_lock);
20767 LIST_HEAD(pgd_list);
20769 @@ -224,11 +263,24 @@ void vmalloc_sync_all(void)
20770 address += PMD_SIZE) {
20772 unsigned long flags;
20774 +#ifdef CONFIG_PAX_PER_CPU_PGD
20775 + unsigned long cpu;
20780 spin_lock_irqsave(&pgd_lock, flags);
20782 +#ifdef CONFIG_PAX_PER_CPU_PGD
20783 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20784 + pgd_t *pgd = get_cpu_pgd(cpu);
20786 list_for_each_entry(page, &pgd_list, lru) {
20787 - if (!vmalloc_sync_one(page_address(page), address))
20788 + pgd_t *pgd = page_address(page);
20791 + if (!vmalloc_sync_one(pgd, address))
20794 spin_unlock_irqrestore(&pgd_lock, flags);
20795 @@ -258,6 +310,11 @@ static noinline int vmalloc_fault(unsign
20796 * an interrupt in the middle of a task switch..
20798 pgd_paddr = read_cr3();
20800 +#ifdef CONFIG_PAX_PER_CPU_PGD
20801 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
20804 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
20807 @@ -332,15 +389,27 @@ void vmalloc_sync_all(void)
20809 const pgd_t *pgd_ref = pgd_offset_k(address);
20810 unsigned long flags;
20812 +#ifdef CONFIG_PAX_PER_CPU_PGD
20813 + unsigned long cpu;
20818 if (pgd_none(*pgd_ref))
20821 spin_lock_irqsave(&pgd_lock, flags);
20823 +#ifdef CONFIG_PAX_PER_CPU_PGD
20824 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20825 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
20827 list_for_each_entry(page, &pgd_list, lru) {
20829 pgd = (pgd_t *)page_address(page) + pgd_index(address);
20832 if (pgd_none(*pgd))
20833 set_pgd(pgd, *pgd_ref);
20835 @@ -373,7 +442,14 @@ static noinline int vmalloc_fault(unsign
20836 * happen within a race in page table update. In the later
20840 +#ifdef CONFIG_PAX_PER_CPU_PGD
20841 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
20842 + pgd = pgd_offset_cpu(smp_processor_id(), address);
20844 pgd = pgd_offset(current->active_mm, address);
20847 pgd_ref = pgd_offset_k(address);
20848 if (pgd_none(*pgd_ref))
20850 @@ -535,7 +611,7 @@ static int is_errata93(struct pt_regs *r
20851 static int is_errata100(struct pt_regs *regs, unsigned long address)
20853 #ifdef CONFIG_X86_64
20854 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
20855 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
20859 @@ -562,7 +638,7 @@ static int is_f00f_bug(struct pt_regs *r
20862 static const char nx_warning[] = KERN_CRIT
20863 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
20864 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
20867 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
20868 @@ -571,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, un
20869 if (!oops_may_print())
20872 - if (error_code & PF_INSTR) {
20873 + if (nx_enabled && (error_code & PF_INSTR)) {
20874 unsigned int level;
20876 pte_t *pte = lookup_address(address, &level);
20878 if (pte && pte_present(*pte) && !pte_exec(*pte))
20879 - printk(nx_warning, current_uid());
20880 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
20883 +#ifdef CONFIG_PAX_KERNEXEC
20884 + if (init_mm.start_code <= address && address < init_mm.end_code) {
20885 + if (current->signal->curr_ip)
20886 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20887 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
20889 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20890 + current->comm, task_pid_nr(current), current_uid(), current_euid());
20894 printk(KERN_ALERT "BUG: unable to handle kernel ");
20895 if (address < PAGE_SIZE)
20896 printk(KERN_CONT "NULL pointer dereference");
20897 @@ -704,6 +791,68 @@ __bad_area_nosemaphore(struct pt_regs *r
20898 unsigned long address, int si_code)
20900 struct task_struct *tsk = current;
20901 + struct mm_struct *mm = tsk->mm;
20903 +#ifdef CONFIG_X86_64
20904 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
20905 + if (regs->ip == (unsigned long)vgettimeofday) {
20906 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
20908 + } else if (regs->ip == (unsigned long)vtime) {
20909 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
20911 + } else if (regs->ip == (unsigned long)vgetcpu) {
20912 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
20918 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20919 + if (mm && (error_code & PF_USER)) {
20920 + unsigned long ip = regs->ip;
20922 + if (v8086_mode(regs))
20923 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
20926 + * It's possible to have interrupts off here:
20928 + local_irq_enable();
20930 +#ifdef CONFIG_PAX_PAGEEXEC
20931 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
20932 + ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
20934 +#ifdef CONFIG_PAX_EMUTRAMP
20935 + switch (pax_handle_fetch_fault(regs)) {
20941 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
20942 + do_group_exit(SIGKILL);
20946 +#ifdef CONFIG_PAX_SEGMEXEC
20947 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
20949 +#ifdef CONFIG_PAX_EMUTRAMP
20950 + switch (pax_handle_fetch_fault(regs)) {
20956 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
20957 + do_group_exit(SIGKILL);
20964 /* User mode accesses just cause a SIGSEGV */
20965 if (error_code & PF_USER) {
20966 @@ -857,6 +1006,99 @@ static int spurious_fault_check(unsigned
20970 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20971 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
20976 + unsigned char pte_mask;
20978 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
20979 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
20982 + /* PaX: it's our fault, let's handle it if we can */
20984 + /* PaX: take a look at read faults before acquiring any locks */
20985 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
20986 + /* instruction fetch attempt from a protected page in user mode */
20987 + up_read(&mm->mmap_sem);
20989 +#ifdef CONFIG_PAX_EMUTRAMP
20990 + switch (pax_handle_fetch_fault(regs)) {
20996 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20997 + do_group_exit(SIGKILL);
21000 + pmd = pax_get_pmd(mm, address);
21001 + if (unlikely(!pmd))
21004 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21005 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21006 + pte_unmap_unlock(pte, ptl);
21010 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21011 + /* write attempt to a protected page in user mode */
21012 + pte_unmap_unlock(pte, ptl);
21017 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21019 + if (likely(address > get_limit(regs->cs)))
21022 + set_pte(pte, pte_mkread(*pte));
21023 + __flush_tlb_one(address);
21024 + pte_unmap_unlock(pte, ptl);
21025 + up_read(&mm->mmap_sem);
21029 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21032 + * PaX: fill DTLB with user rights and retry
21034 + __asm__ __volatile__ (
21036 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21038 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21039 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21040 + * page fault when examined during a TLB load attempt. this is true not only
21041 + * for PTEs holding a non-present entry but also present entries that will
21042 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21043 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21044 + * for our target pages since their PTEs are simply not in the TLBs at all.
21046 + * the best thing in omitting it is that we gain around 15-20% speed in the
21047 + * fast path of the page fault handler and can get rid of tracing since we
21048 + * can no longer flush unintended entries.
21052 + __copyuser_seg"testb $0,(%0)\n"
21055 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21056 + : "memory", "cc");
21057 + pte_unmap_unlock(pte, ptl);
21058 + up_read(&mm->mmap_sem);
21064 * Handle a spurious fault caused by a stale TLB entry.
21066 @@ -923,6 +1165,9 @@ int show_unhandled_signals = 1;
21068 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
21070 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21074 /* write, present and write, not present: */
21075 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21076 @@ -956,17 +1201,31 @@ do_page_fault(struct pt_regs *regs, unsi
21078 struct vm_area_struct *vma;
21079 struct task_struct *tsk;
21080 - unsigned long address;
21081 struct mm_struct *mm;
21085 + /* Get the faulting address: */
21086 + unsigned long address = read_cr2();
21088 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21089 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21090 + if (!search_exception_tables(regs->ip)) {
21091 + bad_area_nosemaphore(regs, error_code, address);
21094 + if (address < PAX_USER_SHADOW_BASE) {
21095 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21096 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21097 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21099 + address -= PAX_USER_SHADOW_BASE;
21106 - /* Get the faulting address: */
21107 - address = read_cr2();
21110 * Detect and handle instructions that would cause a page fault for
21111 * both a tracked kernel page and a userspace page.
21112 @@ -1026,7 +1285,7 @@ do_page_fault(struct pt_regs *regs, unsi
21113 * User-mode registers count as a user access even for any
21114 * potential system fault or CPU buglet:
21116 - if (user_mode_vm(regs)) {
21117 + if (user_mode(regs)) {
21118 local_irq_enable();
21119 error_code |= PF_USER;
21121 @@ -1080,6 +1339,11 @@ do_page_fault(struct pt_regs *regs, unsi
21125 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21126 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21130 vma = find_vma(mm, address);
21131 if (unlikely(!vma)) {
21132 bad_area(regs, error_code, address);
21133 @@ -1091,18 +1355,24 @@ do_page_fault(struct pt_regs *regs, unsi
21134 bad_area(regs, error_code, address);
21137 - if (error_code & PF_USER) {
21139 - * Accessing the stack below %sp is always a bug.
21140 - * The large cushion allows instructions like enter
21141 - * and pusha to work. ("enter $65535, $31" pushes
21142 - * 32 pointers and then decrements %sp by 65535.)
21144 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21145 - bad_area(regs, error_code, address);
21149 + * Accessing the stack below %sp is always a bug.
21150 + * The large cushion allows instructions like enter
21151 + * and pusha to work. ("enter $65535, $31" pushes
21152 + * 32 pointers and then decrements %sp by 65535.)
21154 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21155 + bad_area(regs, error_code, address);
21159 +#ifdef CONFIG_PAX_SEGMEXEC
21160 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21161 + bad_area(regs, error_code, address);
21166 if (unlikely(expand_stack(vma, address))) {
21167 bad_area(regs, error_code, address);
21169 @@ -1146,3 +1416,199 @@ good_area:
21171 up_read(&mm->mmap_sem);
21174 +#ifdef CONFIG_PAX_EMUTRAMP
21175 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21179 + do { /* PaX: gcc trampoline emulation #1 */
21180 + unsigned char mov1, mov2;
21181 + unsigned short jmp;
21182 + unsigned int addr1, addr2;
21184 +#ifdef CONFIG_X86_64
21185 + if ((regs->ip + 11) >> 32)
21189 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21190 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21191 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21192 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21193 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21198 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21199 + regs->cx = addr1;
21200 + regs->ax = addr2;
21201 + regs->ip = addr2;
21206 + do { /* PaX: gcc trampoline emulation #2 */
21207 + unsigned char mov, jmp;
21208 + unsigned int addr1, addr2;
21210 +#ifdef CONFIG_X86_64
21211 + if ((regs->ip + 9) >> 32)
21215 + err = get_user(mov, (unsigned char __user *)regs->ip);
21216 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21217 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21218 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21223 + if (mov == 0xB9 && jmp == 0xE9) {
21224 + regs->cx = addr1;
21225 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21230 + return 1; /* PaX in action */
21233 +#ifdef CONFIG_X86_64
21234 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21238 + do { /* PaX: gcc trampoline emulation #1 */
21239 + unsigned short mov1, mov2, jmp1;
21240 + unsigned char jmp2;
21241 + unsigned int addr1;
21242 + unsigned long addr2;
21244 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21245 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21246 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21247 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21248 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21249 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21254 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21255 + regs->r11 = addr1;
21256 + regs->r10 = addr2;
21257 + regs->ip = addr1;
21262 + do { /* PaX: gcc trampoline emulation #2 */
21263 + unsigned short mov1, mov2, jmp1;
21264 + unsigned char jmp2;
21265 + unsigned long addr1, addr2;
21267 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21268 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21269 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21270 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21271 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21272 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21277 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21278 + regs->r11 = addr1;
21279 + regs->r10 = addr2;
21280 + regs->ip = addr1;
21285 + return 1; /* PaX in action */
21290 + * PaX: decide what to do with offenders (regs->ip = fault address)
21292 + * returns 1 when task should be killed
21293 + * 2 when gcc trampoline was detected
21295 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21297 + if (v8086_mode(regs))
21300 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21303 +#ifdef CONFIG_X86_32
21304 + return pax_handle_fetch_fault_32(regs);
21306 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21307 + return pax_handle_fetch_fault_32(regs);
21309 + return pax_handle_fetch_fault_64(regs);
21314 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21315 +void pax_report_insns(void *pc, void *sp)
21319 + printk(KERN_ERR "PAX: bytes at PC: ");
21320 + for (i = 0; i < 20; i++) {
21322 + if (get_user(c, (__force unsigned char __user *)pc+i))
21323 + printk(KERN_CONT "?? ");
21325 + printk(KERN_CONT "%02x ", c);
21329 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21330 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21332 + if (get_user(c, (__force unsigned long __user *)sp+i))
21333 +#ifdef CONFIG_X86_32
21334 + printk(KERN_CONT "???????? ");
21336 + printk(KERN_CONT "???????????????? ");
21339 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21346 + * probe_kernel_write(): safely attempt to write to a location
21347 + * @dst: address to write to
21348 + * @src: pointer to the data that shall be written
21349 + * @size: size of the data chunk
21351 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21352 + * happens, handle that and return -EFAULT.
21354 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21357 + mm_segment_t old_fs = get_fs();
21359 + set_fs(KERNEL_DS);
21360 + pagefault_disable();
21361 + pax_open_kernel();
21362 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21363 + pax_close_kernel();
21364 + pagefault_enable();
21367 + return ret ? -EFAULT : 0;
21369 diff -urNp linux-2.6.32.43/arch/x86/mm/gup.c linux-2.6.32.43/arch/x86/mm/gup.c
21370 --- linux-2.6.32.43/arch/x86/mm/gup.c 2011-03-27 14:31:47.000000000 -0400
21371 +++ linux-2.6.32.43/arch/x86/mm/gup.c 2011-04-17 15:56:46.000000000 -0400
21372 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
21374 len = (unsigned long) nr_pages << PAGE_SHIFT;
21376 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21377 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21378 (void __user *)start, len)))
21381 diff -urNp linux-2.6.32.43/arch/x86/mm/highmem_32.c linux-2.6.32.43/arch/x86/mm/highmem_32.c
21382 --- linux-2.6.32.43/arch/x86/mm/highmem_32.c 2011-03-27 14:31:47.000000000 -0400
21383 +++ linux-2.6.32.43/arch/x86/mm/highmem_32.c 2011-04-17 15:56:46.000000000 -0400
21384 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
21385 idx = type + KM_TYPE_NR*smp_processor_id();
21386 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21387 BUG_ON(!pte_none(*(kmap_pte-idx)));
21389 + pax_open_kernel();
21390 set_pte(kmap_pte-idx, mk_pte(page, prot));
21391 + pax_close_kernel();
21393 return (void *)vaddr;
21395 diff -urNp linux-2.6.32.43/arch/x86/mm/hugetlbpage.c linux-2.6.32.43/arch/x86/mm/hugetlbpage.c
21396 --- linux-2.6.32.43/arch/x86/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
21397 +++ linux-2.6.32.43/arch/x86/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
21398 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
21399 struct hstate *h = hstate_file(file);
21400 struct mm_struct *mm = current->mm;
21401 struct vm_area_struct *vma;
21402 - unsigned long start_addr;
21403 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21405 +#ifdef CONFIG_PAX_SEGMEXEC
21406 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21407 + pax_task_size = SEGMEXEC_TASK_SIZE;
21410 + pax_task_size -= PAGE_SIZE;
21412 if (len > mm->cached_hole_size) {
21413 - start_addr = mm->free_area_cache;
21414 + start_addr = mm->free_area_cache;
21416 - start_addr = TASK_UNMAPPED_BASE;
21417 - mm->cached_hole_size = 0;
21418 + start_addr = mm->mmap_base;
21419 + mm->cached_hole_size = 0;
21423 @@ -281,26 +288,27 @@ full_search:
21425 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
21426 /* At this point: (!vma || addr < vma->vm_end). */
21427 - if (TASK_SIZE - len < addr) {
21428 + if (pax_task_size - len < addr) {
21430 * Start a new search - just in case we missed
21433 - if (start_addr != TASK_UNMAPPED_BASE) {
21434 - start_addr = TASK_UNMAPPED_BASE;
21435 + if (start_addr != mm->mmap_base) {
21436 + start_addr = mm->mmap_base;
21437 mm->cached_hole_size = 0;
21442 - if (!vma || addr + len <= vma->vm_start) {
21443 - mm->free_area_cache = addr + len;
21446 + if (check_heap_stack_gap(vma, addr, len))
21448 if (addr + mm->cached_hole_size < vma->vm_start)
21449 mm->cached_hole_size = vma->vm_start - addr;
21450 addr = ALIGN(vma->vm_end, huge_page_size(h));
21453 + mm->free_area_cache = addr + len;
21457 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
21458 @@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
21460 struct hstate *h = hstate_file(file);
21461 struct mm_struct *mm = current->mm;
21462 - struct vm_area_struct *vma, *prev_vma;
21463 - unsigned long base = mm->mmap_base, addr = addr0;
21464 + struct vm_area_struct *vma;
21465 + unsigned long base = mm->mmap_base, addr;
21466 unsigned long largest_hole = mm->cached_hole_size;
21467 - int first_time = 1;
21469 /* don't allow allocations above current base */
21470 if (mm->free_area_cache > base)
21471 @@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
21473 mm->free_area_cache = base;
21477 /* make sure it can fit in the remaining address space */
21478 if (mm->free_area_cache < len)
21481 /* either no address requested or cant fit in requested address hole */
21482 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
21483 + addr = (mm->free_area_cache - len);
21485 + addr &= huge_page_mask(h);
21486 + vma = find_vma(mm, addr);
21488 * Lookup failure means no vma is above this address,
21489 * i.e. return with success:
21491 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
21495 * new region fits between prev_vma->vm_end and
21496 * vma->vm_start, use it:
21498 - if (addr + len <= vma->vm_start &&
21499 - (!prev_vma || (addr >= prev_vma->vm_end))) {
21500 + if (check_heap_stack_gap(vma, addr, len)) {
21501 /* remember the address as a hint for next time */
21502 - mm->cached_hole_size = largest_hole;
21503 - return (mm->free_area_cache = addr);
21505 - /* pull free_area_cache down to the first hole */
21506 - if (mm->free_area_cache == vma->vm_end) {
21507 - mm->free_area_cache = vma->vm_start;
21508 - mm->cached_hole_size = largest_hole;
21510 + mm->cached_hole_size = largest_hole;
21511 + return (mm->free_area_cache = addr);
21513 + /* pull free_area_cache down to the first hole */
21514 + if (mm->free_area_cache == vma->vm_end) {
21515 + mm->free_area_cache = vma->vm_start;
21516 + mm->cached_hole_size = largest_hole;
21519 /* remember the largest hole we saw so far */
21520 if (addr + largest_hole < vma->vm_start)
21521 - largest_hole = vma->vm_start - addr;
21522 + largest_hole = vma->vm_start - addr;
21524 /* try just below the current vma->vm_start */
21525 - addr = (vma->vm_start - len) & huge_page_mask(h);
21526 - } while (len <= vma->vm_start);
21527 + addr = skip_heap_stack_gap(vma, len);
21528 + } while (!IS_ERR_VALUE(addr));
21532 - * if hint left us with no space for the requested
21533 - * mapping then try again:
21535 - if (first_time) {
21536 - mm->free_area_cache = base;
21537 - largest_hole = 0;
21542 * A failed mmap() very likely causes application failure,
21543 * so fall back to the bottom-up function here. This scenario
21544 * can happen with large stack limits and large mmap()
21547 - mm->free_area_cache = TASK_UNMAPPED_BASE;
21549 +#ifdef CONFIG_PAX_SEGMEXEC
21550 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21551 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
21555 + mm->mmap_base = TASK_UNMAPPED_BASE;
21557 +#ifdef CONFIG_PAX_RANDMMAP
21558 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21559 + mm->mmap_base += mm->delta_mmap;
21562 + mm->free_area_cache = mm->mmap_base;
21563 mm->cached_hole_size = ~0UL;
21564 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
21565 len, pgoff, flags);
21566 @@ -387,6 +393,7 @@ fail:
21568 * Restore the topdown base:
21570 + mm->mmap_base = base;
21571 mm->free_area_cache = base;
21572 mm->cached_hole_size = ~0UL;
21574 @@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
21575 struct hstate *h = hstate_file(file);
21576 struct mm_struct *mm = current->mm;
21577 struct vm_area_struct *vma;
21578 + unsigned long pax_task_size = TASK_SIZE;
21580 if (len & ~huge_page_mask(h))
21582 - if (len > TASK_SIZE)
21584 +#ifdef CONFIG_PAX_SEGMEXEC
21585 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21586 + pax_task_size = SEGMEXEC_TASK_SIZE;
21589 + pax_task_size -= PAGE_SIZE;
21591 + if (len > pax_task_size)
21594 if (flags & MAP_FIXED) {
21595 @@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
21597 addr = ALIGN(addr, huge_page_size(h));
21598 vma = find_vma(mm, addr);
21599 - if (TASK_SIZE - len >= addr &&
21600 - (!vma || addr + len <= vma->vm_start))
21601 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
21604 if (mm->get_unmapped_area == arch_get_unmapped_area)
21605 diff -urNp linux-2.6.32.43/arch/x86/mm/init_32.c linux-2.6.32.43/arch/x86/mm/init_32.c
21606 --- linux-2.6.32.43/arch/x86/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
21607 +++ linux-2.6.32.43/arch/x86/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
21608 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
21612 - * Creates a middle page table and puts a pointer to it in the
21613 - * given global directory entry. This only returns the gd entry
21614 - * in non-PAE compilation mode, since the middle layer is folded.
21616 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
21619 - pmd_t *pmd_table;
21621 -#ifdef CONFIG_X86_PAE
21622 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
21623 - if (after_bootmem)
21624 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
21626 - pmd_table = (pmd_t *)alloc_low_page();
21627 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
21628 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
21629 - pud = pud_offset(pgd, 0);
21630 - BUG_ON(pmd_table != pmd_offset(pud, 0));
21632 - return pmd_table;
21635 - pud = pud_offset(pgd, 0);
21636 - pmd_table = pmd_offset(pud, 0);
21638 - return pmd_table;
21642 * Create a page table and place a pointer to it in a middle page
21645 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
21646 page_table = (pte_t *)alloc_low_page();
21648 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
21649 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21650 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
21652 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
21654 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
21657 return pte_offset_kernel(pmd, 0);
21660 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
21663 + pmd_t *pmd_table;
21665 + pud = pud_offset(pgd, 0);
21666 + pmd_table = pmd_offset(pud, 0);
21668 + return pmd_table;
21671 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
21673 int pgd_idx = pgd_index(vaddr);
21674 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
21675 int pgd_idx, pmd_idx;
21676 unsigned long vaddr;
21682 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
21683 pgd = pgd_base + pgd_idx;
21685 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
21686 - pmd = one_md_table_init(pgd);
21687 - pmd = pmd + pmd_index(vaddr);
21688 + pud = pud_offset(pgd, vaddr);
21689 + pmd = pmd_offset(pud, vaddr);
21691 +#ifdef CONFIG_X86_PAE
21692 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
21695 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
21696 pmd++, pmd_idx++) {
21697 pte = page_table_kmap_check(one_page_table_init(pmd),
21698 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
21702 -static inline int is_kernel_text(unsigned long addr)
21703 +static inline int is_kernel_text(unsigned long start, unsigned long end)
21705 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
21708 + if ((start > ktla_ktva((unsigned long)_etext) ||
21709 + end <= ktla_ktva((unsigned long)_stext)) &&
21710 + (start > ktla_ktva((unsigned long)_einittext) ||
21711 + end <= ktla_ktva((unsigned long)_sinittext)) &&
21713 +#ifdef CONFIG_ACPI_SLEEP
21714 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
21717 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
21723 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
21724 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
21725 unsigned long start_pfn, end_pfn;
21726 pgd_t *pgd_base = swapper_pg_dir;
21727 - int pgd_idx, pmd_idx, pte_ofs;
21728 + unsigned int pgd_idx, pmd_idx, pte_ofs;
21734 unsigned pages_2m, pages_4k;
21735 @@ -278,8 +279,13 @@ repeat:
21737 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
21738 pgd = pgd_base + pgd_idx;
21739 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
21740 - pmd = one_md_table_init(pgd);
21741 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
21742 + pud = pud_offset(pgd, 0);
21743 + pmd = pmd_offset(pud, 0);
21745 +#ifdef CONFIG_X86_PAE
21746 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
21749 if (pfn >= end_pfn)
21751 @@ -291,14 +297,13 @@ repeat:
21753 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
21754 pmd++, pmd_idx++) {
21755 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
21756 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
21759 * Map with big pages if possible, otherwise
21760 * create normal page tables:
21763 - unsigned int addr2;
21764 pgprot_t prot = PAGE_KERNEL_LARGE;
21766 * first pass will use the same initial
21767 @@ -308,11 +313,7 @@ repeat:
21768 __pgprot(PTE_IDENT_ATTR |
21771 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
21772 - PAGE_OFFSET + PAGE_SIZE-1;
21774 - if (is_kernel_text(addr) ||
21775 - is_kernel_text(addr2))
21776 + if (is_kernel_text(address, address + PMD_SIZE))
21777 prot = PAGE_KERNEL_LARGE_EXEC;
21780 @@ -329,7 +330,7 @@ repeat:
21781 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
21783 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
21784 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
21785 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
21786 pgprot_t prot = PAGE_KERNEL;
21788 * first pass will use the same initial
21789 @@ -337,7 +338,7 @@ repeat:
21791 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
21793 - if (is_kernel_text(addr))
21794 + if (is_kernel_text(address, address + PAGE_SIZE))
21795 prot = PAGE_KERNEL_EXEC;
21798 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
21800 pud = pud_offset(pgd, va);
21801 pmd = pmd_offset(pud, va);
21802 - if (!pmd_present(*pmd))
21803 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
21806 pte = pte_offset_kernel(pmd, va);
21807 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
21809 static void __init pagetable_init(void)
21811 - pgd_t *pgd_base = swapper_pg_dir;
21813 - permanent_kmaps_init(pgd_base);
21814 + permanent_kmaps_init(swapper_pg_dir);
21817 #ifdef CONFIG_ACPI_SLEEP
21818 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
21819 * ACPI suspend needs this for resume, because things like the intel-agp
21820 * driver might have split up a kernel 4MB mapping.
21822 -char swsusp_pg_dir[PAGE_SIZE]
21823 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
21824 __attribute__ ((aligned(PAGE_SIZE)));
21826 static inline void save_pg_dir(void)
21828 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
21829 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
21831 #else /* !CONFIG_ACPI_SLEEP */
21832 static inline void save_pg_dir(void)
21833 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
21837 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
21838 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
21839 EXPORT_SYMBOL_GPL(__supported_pte_mask);
21841 /* user-defined highmem size */
21842 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
21843 * Initialize the boot-time allocator (with low memory only):
21845 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
21846 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
21847 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
21849 if (bootmap == -1L)
21850 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
21851 @@ -864,6 +863,12 @@ void __init mem_init(void)
21855 +#ifdef CONFIG_PAX_PER_CPU_PGD
21856 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21857 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21858 + KERNEL_PGD_PTRS);
21861 #ifdef CONFIG_FLATMEM
21864 @@ -881,7 +886,7 @@ void __init mem_init(void)
21865 set_highmem_pages_init();
21867 codesize = (unsigned long) &_etext - (unsigned long) &_text;
21868 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
21869 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
21870 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
21872 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
21873 @@ -923,10 +928,10 @@ void __init mem_init(void)
21874 ((unsigned long)&__init_end -
21875 (unsigned long)&__init_begin) >> 10,
21877 - (unsigned long)&_etext, (unsigned long)&_edata,
21878 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
21879 + (unsigned long)&_sdata, (unsigned long)&_edata,
21880 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
21882 - (unsigned long)&_text, (unsigned long)&_etext,
21883 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
21884 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
21887 @@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
21888 if (!kernel_set_to_readonly)
21891 + start = ktla_ktva(start);
21892 pr_debug("Set kernel text: %lx - %lx for read write\n",
21893 start, start+size);
21895 @@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
21896 if (!kernel_set_to_readonly)
21899 + start = ktla_ktva(start);
21900 pr_debug("Set kernel text: %lx - %lx for read only\n",
21901 start, start+size);
21903 @@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
21904 unsigned long start = PFN_ALIGN(_text);
21905 unsigned long size = PFN_ALIGN(_etext) - start;
21907 + start = ktla_ktva(start);
21908 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
21909 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
21911 diff -urNp linux-2.6.32.43/arch/x86/mm/init_64.c linux-2.6.32.43/arch/x86/mm/init_64.c
21912 --- linux-2.6.32.43/arch/x86/mm/init_64.c 2011-04-17 17:00:52.000000000 -0400
21913 +++ linux-2.6.32.43/arch/x86/mm/init_64.c 2011-04-17 17:03:05.000000000 -0400
21914 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
21915 pmd = fill_pmd(pud, vaddr);
21916 pte = fill_pte(pmd, vaddr);
21918 + pax_open_kernel();
21919 set_pte(pte, new_pte);
21920 + pax_close_kernel();
21923 * It's enough to flush this one mapping.
21924 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
21925 pgd = pgd_offset_k((unsigned long)__va(phys));
21926 if (pgd_none(*pgd)) {
21927 pud = (pud_t *) spp_getpage();
21928 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
21930 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
21932 pud = pud_offset(pgd, (unsigned long)__va(phys));
21933 if (pud_none(*pud)) {
21934 pmd = (pmd_t *) spp_getpage();
21935 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
21937 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
21939 pmd = pmd_offset(pud, phys);
21940 BUG_ON(!pmd_none(*pmd));
21941 @@ -675,6 +675,12 @@ void __init mem_init(void)
21945 +#ifdef CONFIG_PAX_PER_CPU_PGD
21946 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21947 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21948 + KERNEL_PGD_PTRS);
21951 /* clear_bss() already clear the empty_zero_page */
21954 @@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
21955 static struct vm_area_struct gate_vma = {
21956 .vm_start = VSYSCALL_START,
21957 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21958 - .vm_page_prot = PAGE_READONLY_EXEC,
21959 - .vm_flags = VM_READ | VM_EXEC
21960 + .vm_page_prot = PAGE_READONLY,
21961 + .vm_flags = VM_READ
21964 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
21965 @@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
21967 const char *arch_vma_name(struct vm_area_struct *vma)
21969 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21970 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21972 if (vma == &gate_vma)
21973 return "[vsyscall]";
21974 diff -urNp linux-2.6.32.43/arch/x86/mm/init.c linux-2.6.32.43/arch/x86/mm/init.c
21975 --- linux-2.6.32.43/arch/x86/mm/init.c 2011-04-17 17:00:52.000000000 -0400
21976 +++ linux-2.6.32.43/arch/x86/mm/init.c 2011-06-07 19:06:09.000000000 -0400
21977 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
21978 * cause a hotspot and fill up ZONE_DMA. The page tables
21979 * need roughly 0.5KB per GB.
21981 -#ifdef CONFIG_X86_32
21986 + start = 0x100000;
21987 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
21988 tables, PAGE_SIZE);
21989 if (e820_table_start == -1UL)
21990 @@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
21995 + if (nx_enabled && cpu_has_nx)
21996 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
21998 /* Enable PSE if available */
21999 @@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
22000 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
22001 * mmio resources as well as potential bios/acpi data regions.
22004 int devmem_is_allowed(unsigned long pagenr)
22006 +#ifdef CONFIG_GRKERNSEC_KMEM
22011 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22013 + /* allow ISA/video mem */
22014 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22016 + /* throw out everything else below 1MB */
22017 + if (pagenr <= 256)
22024 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22026 if (!page_is_ram(pagenr))
22027 @@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
22029 void free_initmem(void)
22032 +#ifdef CONFIG_PAX_KERNEXEC
22033 +#ifdef CONFIG_X86_32
22034 + /* PaX: limit KERNEL_CS to actual size */
22035 + unsigned long addr, limit;
22036 + struct desc_struct d;
22039 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22040 + limit = (limit - 1UL) >> PAGE_SHIFT;
22042 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22043 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22044 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22045 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22048 + /* PaX: make KERNEL_CS read-only */
22049 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22050 + if (!paravirt_enabled())
22051 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22053 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22054 + pgd = pgd_offset_k(addr);
22055 + pud = pud_offset(pgd, addr);
22056 + pmd = pmd_offset(pud, addr);
22057 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22060 +#ifdef CONFIG_X86_PAE
22061 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22063 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22064 + pgd = pgd_offset_k(addr);
22065 + pud = pud_offset(pgd, addr);
22066 + pmd = pmd_offset(pud, addr);
22067 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22072 +#ifdef CONFIG_MODULES
22073 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22080 + unsigned long addr, end;
22082 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22083 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22084 + pgd = pgd_offset_k(addr);
22085 + pud = pud_offset(pgd, addr);
22086 + pmd = pmd_offset(pud, addr);
22087 + if (!pmd_present(*pmd))
22089 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22090 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22092 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22095 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22096 + end = addr + KERNEL_IMAGE_SIZE;
22097 + for (; addr < end; addr += PMD_SIZE) {
22098 + pgd = pgd_offset_k(addr);
22099 + pud = pud_offset(pgd, addr);
22100 + pmd = pmd_offset(pud, addr);
22101 + if (!pmd_present(*pmd))
22103 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22104 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22111 free_init_pages("unused kernel memory",
22112 (unsigned long)(&__init_begin),
22113 (unsigned long)(&__init_end));
22114 diff -urNp linux-2.6.32.43/arch/x86/mm/iomap_32.c linux-2.6.32.43/arch/x86/mm/iomap_32.c
22115 --- linux-2.6.32.43/arch/x86/mm/iomap_32.c 2011-03-27 14:31:47.000000000 -0400
22116 +++ linux-2.6.32.43/arch/x86/mm/iomap_32.c 2011-04-17 15:56:46.000000000 -0400
22117 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22118 debug_kmap_atomic(type);
22119 idx = type + KM_TYPE_NR * smp_processor_id();
22120 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22122 + pax_open_kernel();
22123 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22124 + pax_close_kernel();
22126 arch_flush_lazy_mmu_mode();
22128 return (void *)vaddr;
22129 diff -urNp linux-2.6.32.43/arch/x86/mm/ioremap.c linux-2.6.32.43/arch/x86/mm/ioremap.c
22130 --- linux-2.6.32.43/arch/x86/mm/ioremap.c 2011-03-27 14:31:47.000000000 -0400
22131 +++ linux-2.6.32.43/arch/x86/mm/ioremap.c 2011-04-17 15:56:46.000000000 -0400
22132 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
22133 * Second special case: Some BIOSen report the PC BIOS
22134 * area (640->1Mb) as ram even though it is not.
22136 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
22137 - pagenr < (BIOS_END >> PAGE_SHIFT))
22138 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
22139 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22142 for (i = 0; i < e820.nr_map; i++) {
22143 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
22145 * Don't allow anybody to remap normal RAM that we're using..
22147 - for (pfn = phys_addr >> PAGE_SHIFT;
22148 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
22151 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
22152 int is_ram = page_is_ram(pfn);
22154 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22155 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22157 WARN_ON_ONCE(is_ram);
22159 @@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
22160 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22162 static __initdata int after_paging_init;
22163 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22164 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22166 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22168 @@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
22169 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22171 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22172 - memset(bm_pte, 0, sizeof(bm_pte));
22173 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22174 + pmd_populate_user(&init_mm, pmd, bm_pte);
22177 * The boot-ioremap range spans multiple pmds, for which
22178 diff -urNp linux-2.6.32.43/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.43/arch/x86/mm/kmemcheck/kmemcheck.c
22179 --- linux-2.6.32.43/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-27 14:31:47.000000000 -0400
22180 +++ linux-2.6.32.43/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:56:46.000000000 -0400
22181 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22182 * memory (e.g. tracked pages)? For now, we need this to avoid
22183 * invoking kmemcheck for PnP BIOS calls.
22185 - if (regs->flags & X86_VM_MASK)
22186 + if (v8086_mode(regs))
22188 - if (regs->cs != __KERNEL_CS)
22189 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22192 pte = kmemcheck_pte_lookup(address);
22193 diff -urNp linux-2.6.32.43/arch/x86/mm/mmap.c linux-2.6.32.43/arch/x86/mm/mmap.c
22194 --- linux-2.6.32.43/arch/x86/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
22195 +++ linux-2.6.32.43/arch/x86/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
22196 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22197 * Leave an at least ~128 MB hole with possible stack randomization.
22199 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22200 -#define MAX_GAP (TASK_SIZE/6*5)
22201 +#define MAX_GAP (pax_task_size/6*5)
22204 * True on X86_32 or when emulating IA32 on X86_64
22205 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22206 return rnd << PAGE_SHIFT;
22209 -static unsigned long mmap_base(void)
22210 +static unsigned long mmap_base(struct mm_struct *mm)
22212 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
22213 + unsigned long pax_task_size = TASK_SIZE;
22215 +#ifdef CONFIG_PAX_SEGMEXEC
22216 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22217 + pax_task_size = SEGMEXEC_TASK_SIZE;
22222 else if (gap > MAX_GAP)
22225 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22226 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22230 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22231 * does, but not when emulating X86_32
22233 -static unsigned long mmap_legacy_base(void)
22234 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22236 - if (mmap_is_ia32())
22237 + if (mmap_is_ia32()) {
22239 +#ifdef CONFIG_PAX_SEGMEXEC
22240 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22241 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22245 return TASK_UNMAPPED_BASE;
22248 return TASK_UNMAPPED_BASE + mmap_rnd();
22251 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22252 void arch_pick_mmap_layout(struct mm_struct *mm)
22254 if (mmap_is_legacy()) {
22255 - mm->mmap_base = mmap_legacy_base();
22256 + mm->mmap_base = mmap_legacy_base(mm);
22258 +#ifdef CONFIG_PAX_RANDMMAP
22259 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22260 + mm->mmap_base += mm->delta_mmap;
22263 mm->get_unmapped_area = arch_get_unmapped_area;
22264 mm->unmap_area = arch_unmap_area;
22266 - mm->mmap_base = mmap_base();
22267 + mm->mmap_base = mmap_base(mm);
22269 +#ifdef CONFIG_PAX_RANDMMAP
22270 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22271 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22274 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22275 mm->unmap_area = arch_unmap_area_topdown;
22277 diff -urNp linux-2.6.32.43/arch/x86/mm/mmio-mod.c linux-2.6.32.43/arch/x86/mm/mmio-mod.c
22278 --- linux-2.6.32.43/arch/x86/mm/mmio-mod.c 2011-03-27 14:31:47.000000000 -0400
22279 +++ linux-2.6.32.43/arch/x86/mm/mmio-mod.c 2011-07-06 19:53:33.000000000 -0400
22280 @@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
22284 - unsigned char *ip = (unsigned char *)instptr;
22285 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
22286 my_trace->opcode = MMIO_UNKNOWN_OP;
22287 my_trace->width = 0;
22288 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
22289 @@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
22290 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22291 void __iomem *addr)
22293 - static atomic_t next_id;
22294 + static atomic_unchecked_t next_id;
22295 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22296 /* These are page-unaligned. */
22297 struct mmiotrace_map map = {
22298 @@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
22302 - .id = atomic_inc_return(&next_id)
22303 + .id = atomic_inc_return_unchecked(&next_id)
22305 map.map_id = trace->id;
22307 diff -urNp linux-2.6.32.43/arch/x86/mm/numa_32.c linux-2.6.32.43/arch/x86/mm/numa_32.c
22308 --- linux-2.6.32.43/arch/x86/mm/numa_32.c 2011-03-27 14:31:47.000000000 -0400
22309 +++ linux-2.6.32.43/arch/x86/mm/numa_32.c 2011-04-17 15:56:46.000000000 -0400
22310 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
22314 -extern unsigned long find_max_low_pfn(void);
22315 extern unsigned long highend_pfn, highstart_pfn;
22317 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22318 diff -urNp linux-2.6.32.43/arch/x86/mm/pageattr.c linux-2.6.32.43/arch/x86/mm/pageattr.c
22319 --- linux-2.6.32.43/arch/x86/mm/pageattr.c 2011-03-27 14:31:47.000000000 -0400
22320 +++ linux-2.6.32.43/arch/x86/mm/pageattr.c 2011-04-17 15:56:46.000000000 -0400
22321 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
22322 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
22324 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22325 - pgprot_val(forbidden) |= _PAGE_NX;
22326 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22329 * The kernel text needs to be executable for obvious reasons
22330 * Does not cover __inittext since that is gone later on. On
22331 * 64bit we do not enforce !NX on the low mapping
22333 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22334 - pgprot_val(forbidden) |= _PAGE_NX;
22335 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22336 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22338 +#ifdef CONFIG_DEBUG_RODATA
22340 * The .rodata section needs to be read-only. Using the pfn
22341 * catches all aliases.
22342 @@ -278,6 +279,14 @@ static inline pgprot_t static_protection
22343 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22344 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22345 pgprot_val(forbidden) |= _PAGE_RW;
22348 +#ifdef CONFIG_PAX_KERNEXEC
22349 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22350 + pgprot_val(forbidden) |= _PAGE_RW;
22351 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22355 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22357 @@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22358 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22360 /* change init_mm */
22361 + pax_open_kernel();
22362 set_pte_atomic(kpte, pte);
22364 #ifdef CONFIG_X86_32
22365 if (!SHARED_KERNEL_PMD) {
22367 +#ifdef CONFIG_PAX_PER_CPU_PGD
22368 + unsigned long cpu;
22373 +#ifdef CONFIG_PAX_PER_CPU_PGD
22374 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22375 + pgd_t *pgd = get_cpu_pgd(cpu);
22377 list_for_each_entry(page, &pgd_list, lru) {
22379 + pgd_t *pgd = (pgd_t *)page_address(page);
22385 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22386 + pgd += pgd_index(address);
22387 pud = pud_offset(pgd, address);
22388 pmd = pmd_offset(pud, address);
22389 set_pte_atomic((pte_t *)pmd, pte);
22393 + pax_close_kernel();
22397 diff -urNp linux-2.6.32.43/arch/x86/mm/pageattr-test.c linux-2.6.32.43/arch/x86/mm/pageattr-test.c
22398 --- linux-2.6.32.43/arch/x86/mm/pageattr-test.c 2011-03-27 14:31:47.000000000 -0400
22399 +++ linux-2.6.32.43/arch/x86/mm/pageattr-test.c 2011-04-17 15:56:46.000000000 -0400
22400 @@ -36,7 +36,7 @@ enum {
22402 static int pte_testbit(pte_t pte)
22404 - return pte_flags(pte) & _PAGE_UNUSED1;
22405 + return pte_flags(pte) & _PAGE_CPA_TEST;
22408 struct split_state {
22409 diff -urNp linux-2.6.32.43/arch/x86/mm/pat.c linux-2.6.32.43/arch/x86/mm/pat.c
22410 --- linux-2.6.32.43/arch/x86/mm/pat.c 2011-03-27 14:31:47.000000000 -0400
22411 +++ linux-2.6.32.43/arch/x86/mm/pat.c 2011-04-17 15:56:46.000000000 -0400
22412 @@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
22415 printk(KERN_INFO "%s:%d conflicting memory types "
22416 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
22417 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
22418 new->end, cattr_name(new->type), cattr_name(entry->type));
22421 @@ -559,7 +559,7 @@ unlock_ret:
22424 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
22425 - current->comm, current->pid, start, end);
22426 + current->comm, task_pid_nr(current), start, end);
22429 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
22430 @@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
22431 while (cursor < to) {
22432 if (!devmem_is_allowed(pfn)) {
22434 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
22435 - current->comm, from, to);
22436 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
22437 + current->comm, from, to, cursor);
22440 cursor += PAGE_SIZE;
22441 @@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
22443 "%s:%d ioremap_change_attr failed %s "
22445 - current->comm, current->pid,
22446 + current->comm, task_pid_nr(current),
22448 base, (unsigned long long)(base + size));
22450 @@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
22451 free_memtype(paddr, paddr + size);
22452 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
22453 " for %Lx-%Lx, got %s\n",
22454 - current->comm, current->pid,
22455 + current->comm, task_pid_nr(current),
22456 cattr_name(want_flags),
22457 (unsigned long long)paddr,
22458 (unsigned long long)(paddr + size),
22459 diff -urNp linux-2.6.32.43/arch/x86/mm/pf_in.c linux-2.6.32.43/arch/x86/mm/pf_in.c
22460 --- linux-2.6.32.43/arch/x86/mm/pf_in.c 2011-03-27 14:31:47.000000000 -0400
22461 +++ linux-2.6.32.43/arch/x86/mm/pf_in.c 2011-07-06 19:53:33.000000000 -0400
22462 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
22464 enum reason_type rv = OTHERS;
22466 - p = (unsigned char *)ins_addr;
22467 + p = (unsigned char *)ktla_ktva(ins_addr);
22468 p += skip_prefix(p, &prf);
22469 p += get_opcode(p, &opcode);
22471 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
22472 struct prefix_bits prf;
22475 - p = (unsigned char *)ins_addr;
22476 + p = (unsigned char *)ktla_ktva(ins_addr);
22477 p += skip_prefix(p, &prf);
22478 p += get_opcode(p, &opcode);
22480 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
22481 struct prefix_bits prf;
22484 - p = (unsigned char *)ins_addr;
22485 + p = (unsigned char *)ktla_ktva(ins_addr);
22486 p += skip_prefix(p, &prf);
22487 p += get_opcode(p, &opcode);
22489 @@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
22493 - p = (unsigned char *)ins_addr;
22494 + p = (unsigned char *)ktla_ktva(ins_addr);
22495 p += skip_prefix(p, &prf);
22496 p += get_opcode(p, &opcode);
22497 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
22498 @@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
22502 - p = (unsigned char *)ins_addr;
22503 + p = (unsigned char *)ktla_ktva(ins_addr);
22504 p += skip_prefix(p, &prf);
22505 p += get_opcode(p, &opcode);
22506 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
22507 diff -urNp linux-2.6.32.43/arch/x86/mm/pgtable_32.c linux-2.6.32.43/arch/x86/mm/pgtable_32.c
22508 --- linux-2.6.32.43/arch/x86/mm/pgtable_32.c 2011-03-27 14:31:47.000000000 -0400
22509 +++ linux-2.6.32.43/arch/x86/mm/pgtable_32.c 2011-04-17 15:56:46.000000000 -0400
22510 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
22513 pte = pte_offset_kernel(pmd, vaddr);
22515 + pax_open_kernel();
22516 if (pte_val(pteval))
22517 set_pte_at(&init_mm, vaddr, pte, pteval);
22519 pte_clear(&init_mm, vaddr, pte);
22520 + pax_close_kernel();
22523 * It's enough to flush this one mapping.
22524 diff -urNp linux-2.6.32.43/arch/x86/mm/pgtable.c linux-2.6.32.43/arch/x86/mm/pgtable.c
22525 --- linux-2.6.32.43/arch/x86/mm/pgtable.c 2011-03-27 14:31:47.000000000 -0400
22526 +++ linux-2.6.32.43/arch/x86/mm/pgtable.c 2011-05-11 18:25:15.000000000 -0400
22527 @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
22528 list_del(&page->lru);
22531 -#define UNSHARED_PTRS_PER_PGD \
22532 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22533 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22534 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
22536 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22539 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
22543 +#ifdef CONFIG_PAX_PER_CPU_PGD
22544 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22548 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22549 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
22557 +#ifdef CONFIG_X86_64
22558 +#define pxd_t pud_t
22559 +#define pyd_t pgd_t
22560 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
22561 +#define pxd_free(mm, pud) pud_free((mm), (pud))
22562 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
22563 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
22564 +#define PYD_SIZE PGDIR_SIZE
22566 +#define pxd_t pmd_t
22567 +#define pyd_t pud_t
22568 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
22569 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
22570 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
22571 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
22572 +#define PYD_SIZE PUD_SIZE
22575 +#ifdef CONFIG_PAX_PER_CPU_PGD
22576 +static inline void pgd_ctor(pgd_t *pgd) {}
22577 +static inline void pgd_dtor(pgd_t *pgd) {}
22579 static void pgd_ctor(pgd_t *pgd)
22581 /* If the pgd points to a shared pagetable level (either the
22582 @@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
22584 spin_unlock_irqrestore(&pgd_lock, flags);
22589 * List of all pgd's needed for non-PAE so it can invalidate entries
22590 @@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
22594 -#ifdef CONFIG_X86_PAE
22595 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
22597 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
22598 * updating the top-level pagetable entries to guarantee the
22599 @@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
22600 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
22601 * and initialize the kernel pmds here.
22603 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
22604 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22606 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
22608 @@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
22612 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
22613 +#define PREALLOCATED_PXDS USER_PGD_PTRS
22614 #else /* !CONFIG_X86_PAE */
22616 /* No need to prepopulate any pagetable entries in non-PAE modes. */
22617 -#define PREALLOCATED_PMDS 0
22618 +#define PREALLOCATED_PXDS 0
22620 #endif /* CONFIG_X86_PAE */
22622 -static void free_pmds(pmd_t *pmds[])
22623 +static void free_pxds(pxd_t *pxds[])
22627 - for(i = 0; i < PREALLOCATED_PMDS; i++)
22629 - free_page((unsigned long)pmds[i]);
22630 + for(i = 0; i < PREALLOCATED_PXDS; i++)
22632 + free_page((unsigned long)pxds[i]);
22635 -static int preallocate_pmds(pmd_t *pmds[])
22636 +static int preallocate_pxds(pxd_t *pxds[])
22639 bool failed = false;
22641 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22642 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
22644 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22645 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
22658 @@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
22659 * preallocate which never got a corresponding vma will need to be
22662 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
22663 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
22667 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22668 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22669 pgd_t pgd = pgdp[i];
22671 if (pgd_val(pgd) != 0) {
22672 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
22673 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
22675 - pgdp[i] = native_make_pgd(0);
22676 + set_pgd(pgdp + i, native_make_pgd(0));
22678 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
22679 - pmd_free(mm, pmd);
22680 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
22681 + pxd_free(mm, pxd);
22686 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
22687 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
22691 unsigned long addr;
22694 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
22695 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
22698 - pud = pud_offset(pgd, 0);
22699 +#ifdef CONFIG_X86_64
22700 + pyd = pyd_offset(mm, 0L);
22702 + pyd = pyd_offset(pgd, 0L);
22705 - for (addr = i = 0; i < PREALLOCATED_PMDS;
22706 - i++, pud++, addr += PUD_SIZE) {
22707 - pmd_t *pmd = pmds[i];
22708 + for (addr = i = 0; i < PREALLOCATED_PXDS;
22709 + i++, pyd++, addr += PYD_SIZE) {
22710 + pxd_t *pxd = pxds[i];
22712 if (i >= KERNEL_PGD_BOUNDARY)
22713 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22714 - sizeof(pmd_t) * PTRS_PER_PMD);
22715 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22716 + sizeof(pxd_t) * PTRS_PER_PMD);
22718 - pud_populate(mm, pud, pmd);
22719 + pyd_populate(mm, pyd, pxd);
22723 pgd_t *pgd_alloc(struct mm_struct *mm)
22726 - pmd_t *pmds[PREALLOCATED_PMDS];
22727 + pxd_t *pxds[PREALLOCATED_PXDS];
22729 unsigned long flags;
22731 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
22732 @@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22736 - if (preallocate_pmds(pmds) != 0)
22737 + if (preallocate_pxds(pxds) != 0)
22740 if (paravirt_pgd_alloc(mm) != 0)
22741 - goto out_free_pmds;
22742 + goto out_free_pxds;
22745 * Make sure that pre-populating the pmds is atomic with
22746 @@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22747 spin_lock_irqsave(&pgd_lock, flags);
22750 - pgd_prepopulate_pmd(mm, pgd, pmds);
22751 + pgd_prepopulate_pxd(mm, pgd, pxds);
22753 spin_unlock_irqrestore(&pgd_lock, flags);
22762 free_page((unsigned long)pgd);
22764 @@ -287,7 +338,7 @@ out:
22766 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
22768 - pgd_mop_up_pmds(mm, pgd);
22769 + pgd_mop_up_pxds(mm, pgd);
22771 paravirt_pgd_free(mm, pgd);
22772 free_page((unsigned long)pgd);
22773 diff -urNp linux-2.6.32.43/arch/x86/mm/setup_nx.c linux-2.6.32.43/arch/x86/mm/setup_nx.c
22774 --- linux-2.6.32.43/arch/x86/mm/setup_nx.c 2011-03-27 14:31:47.000000000 -0400
22775 +++ linux-2.6.32.43/arch/x86/mm/setup_nx.c 2011-04-17 15:56:46.000000000 -0400
22778 #include <asm/pgtable.h>
22780 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
22783 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22784 -static int disable_nx __cpuinitdata;
22786 +#ifndef CONFIG_PAX_PAGEEXEC
22790 @@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
22793 if (!strncmp(str, "on", 2)) {
22794 - __supported_pte_mask |= _PAGE_NX;
22797 } else if (!strncmp(str, "off", 3)) {
22799 - __supported_pte_mask &= ~_PAGE_NX;
22804 early_param("noexec", noexec_setup);
22808 #ifdef CONFIG_X86_PAE
22809 void __init set_nx(void)
22811 - unsigned int v[4], l, h;
22812 + if (!nx_enabled && cpu_has_nx) {
22815 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
22816 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
22818 - if ((v[3] & (1 << 20)) && !disable_nx) {
22819 - rdmsr(MSR_EFER, l, h);
22821 - wrmsr(MSR_EFER, l, h);
22823 - __supported_pte_mask |= _PAGE_NX;
22825 + __supported_pte_mask &= ~_PAGE_NX;
22826 + rdmsr(MSR_EFER, l, h);
22828 + wrmsr(MSR_EFER, l, h);
22832 @@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
22833 unsigned long efer;
22835 rdmsrl(MSR_EFER, efer);
22836 - if (!(efer & EFER_NX) || disable_nx)
22837 + if (!(efer & EFER_NX) || !nx_enabled)
22838 __supported_pte_mask &= ~_PAGE_NX;
22841 diff -urNp linux-2.6.32.43/arch/x86/mm/tlb.c linux-2.6.32.43/arch/x86/mm/tlb.c
22842 --- linux-2.6.32.43/arch/x86/mm/tlb.c 2011-03-27 14:31:47.000000000 -0400
22843 +++ linux-2.6.32.43/arch/x86/mm/tlb.c 2011-04-23 12:56:10.000000000 -0400
22844 @@ -61,7 +61,11 @@ void leave_mm(int cpu)
22846 cpumask_clear_cpu(cpu,
22847 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
22849 +#ifndef CONFIG_PAX_PER_CPU_PGD
22850 load_cr3(swapper_pg_dir);
22854 EXPORT_SYMBOL_GPL(leave_mm);
22856 diff -urNp linux-2.6.32.43/arch/x86/oprofile/backtrace.c linux-2.6.32.43/arch/x86/oprofile/backtrace.c
22857 --- linux-2.6.32.43/arch/x86/oprofile/backtrace.c 2011-03-27 14:31:47.000000000 -0400
22858 +++ linux-2.6.32.43/arch/x86/oprofile/backtrace.c 2011-04-17 15:56:46.000000000 -0400
22859 @@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
22860 struct frame_head bufhead[2];
22862 /* Also check accessibility of one struct frame_head beyond */
22863 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
22864 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
22866 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
22868 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
22870 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
22872 - if (!user_mode_vm(regs)) {
22873 + if (!user_mode(regs)) {
22874 unsigned long stack = kernel_stack_pointer(regs);
22876 dump_trace(NULL, regs, (unsigned long *)stack, 0,
22877 diff -urNp linux-2.6.32.43/arch/x86/oprofile/op_model_p4.c linux-2.6.32.43/arch/x86/oprofile/op_model_p4.c
22878 --- linux-2.6.32.43/arch/x86/oprofile/op_model_p4.c 2011-03-27 14:31:47.000000000 -0400
22879 +++ linux-2.6.32.43/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:56:46.000000000 -0400
22880 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
22884 -static int inline addr_increment(void)
22885 +static inline int addr_increment(void)
22888 return smp_num_siblings == 2 ? 2 : 1;
22889 diff -urNp linux-2.6.32.43/arch/x86/pci/common.c linux-2.6.32.43/arch/x86/pci/common.c
22890 --- linux-2.6.32.43/arch/x86/pci/common.c 2011-03-27 14:31:47.000000000 -0400
22891 +++ linux-2.6.32.43/arch/x86/pci/common.c 2011-04-23 12:56:10.000000000 -0400
22892 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
22893 int pcibios_last_bus = -1;
22894 unsigned long pirq_table_addr;
22895 struct pci_bus *pci_root_bus;
22896 -struct pci_raw_ops *raw_pci_ops;
22897 -struct pci_raw_ops *raw_pci_ext_ops;
22898 +const struct pci_raw_ops *raw_pci_ops;
22899 +const struct pci_raw_ops *raw_pci_ext_ops;
22901 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
22902 int reg, int len, u32 *val)
22903 diff -urNp linux-2.6.32.43/arch/x86/pci/direct.c linux-2.6.32.43/arch/x86/pci/direct.c
22904 --- linux-2.6.32.43/arch/x86/pci/direct.c 2011-03-27 14:31:47.000000000 -0400
22905 +++ linux-2.6.32.43/arch/x86/pci/direct.c 2011-04-17 15:56:46.000000000 -0400
22906 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
22908 #undef PCI_CONF1_ADDRESS
22910 -struct pci_raw_ops pci_direct_conf1 = {
22911 +const struct pci_raw_ops pci_direct_conf1 = {
22912 .read = pci_conf1_read,
22913 .write = pci_conf1_write,
22915 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
22917 #undef PCI_CONF2_ADDRESS
22919 -struct pci_raw_ops pci_direct_conf2 = {
22920 +const struct pci_raw_ops pci_direct_conf2 = {
22921 .read = pci_conf2_read,
22922 .write = pci_conf2_write,
22924 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
22925 * This should be close to trivial, but it isn't, because there are buggy
22926 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
22928 -static int __init pci_sanity_check(struct pci_raw_ops *o)
22929 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
22933 diff -urNp linux-2.6.32.43/arch/x86/pci/mmconfig_32.c linux-2.6.32.43/arch/x86/pci/mmconfig_32.c
22934 --- linux-2.6.32.43/arch/x86/pci/mmconfig_32.c 2011-03-27 14:31:47.000000000 -0400
22935 +++ linux-2.6.32.43/arch/x86/pci/mmconfig_32.c 2011-04-17 15:56:46.000000000 -0400
22936 @@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
22940 -static struct pci_raw_ops pci_mmcfg = {
22941 +static const struct pci_raw_ops pci_mmcfg = {
22942 .read = pci_mmcfg_read,
22943 .write = pci_mmcfg_write,
22945 diff -urNp linux-2.6.32.43/arch/x86/pci/mmconfig_64.c linux-2.6.32.43/arch/x86/pci/mmconfig_64.c
22946 --- linux-2.6.32.43/arch/x86/pci/mmconfig_64.c 2011-03-27 14:31:47.000000000 -0400
22947 +++ linux-2.6.32.43/arch/x86/pci/mmconfig_64.c 2011-04-17 15:56:46.000000000 -0400
22948 @@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
22952 -static struct pci_raw_ops pci_mmcfg = {
22953 +static const struct pci_raw_ops pci_mmcfg = {
22954 .read = pci_mmcfg_read,
22955 .write = pci_mmcfg_write,
22957 diff -urNp linux-2.6.32.43/arch/x86/pci/numaq_32.c linux-2.6.32.43/arch/x86/pci/numaq_32.c
22958 --- linux-2.6.32.43/arch/x86/pci/numaq_32.c 2011-03-27 14:31:47.000000000 -0400
22959 +++ linux-2.6.32.43/arch/x86/pci/numaq_32.c 2011-04-17 15:56:46.000000000 -0400
22960 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
22962 #undef PCI_CONF1_MQ_ADDRESS
22964 -static struct pci_raw_ops pci_direct_conf1_mq = {
22965 +static const struct pci_raw_ops pci_direct_conf1_mq = {
22966 .read = pci_conf1_mq_read,
22967 .write = pci_conf1_mq_write
22969 diff -urNp linux-2.6.32.43/arch/x86/pci/olpc.c linux-2.6.32.43/arch/x86/pci/olpc.c
22970 --- linux-2.6.32.43/arch/x86/pci/olpc.c 2011-03-27 14:31:47.000000000 -0400
22971 +++ linux-2.6.32.43/arch/x86/pci/olpc.c 2011-04-17 15:56:46.000000000 -0400
22972 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
22976 -static struct pci_raw_ops pci_olpc_conf = {
22977 +static const struct pci_raw_ops pci_olpc_conf = {
22978 .read = pci_olpc_read,
22979 .write = pci_olpc_write,
22981 diff -urNp linux-2.6.32.43/arch/x86/pci/pcbios.c linux-2.6.32.43/arch/x86/pci/pcbios.c
22982 --- linux-2.6.32.43/arch/x86/pci/pcbios.c 2011-03-27 14:31:47.000000000 -0400
22983 +++ linux-2.6.32.43/arch/x86/pci/pcbios.c 2011-04-17 15:56:46.000000000 -0400
22984 @@ -56,50 +56,93 @@ union bios32 {
22986 unsigned long address;
22987 unsigned short segment;
22988 -} bios32_indirect = { 0, __KERNEL_CS };
22989 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
22992 * Returns the entry point for the given service, NULL on error
22995 -static unsigned long bios32_service(unsigned long service)
22996 +static unsigned long __devinit bios32_service(unsigned long service)
22998 unsigned char return_code; /* %al */
22999 unsigned long address; /* %ebx */
23000 unsigned long length; /* %ecx */
23001 unsigned long entry; /* %edx */
23002 unsigned long flags;
23003 + struct desc_struct d, *gdt;
23005 local_irq_save(flags);
23006 - __asm__("lcall *(%%edi); cld"
23008 + gdt = get_cpu_gdt_table(smp_processor_id());
23010 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23011 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23012 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23013 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23015 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23016 : "=a" (return_code),
23022 - "D" (&bios32_indirect));
23023 + "D" (&bios32_indirect),
23024 + "r"(__PCIBIOS_DS)
23027 + pax_open_kernel();
23028 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23029 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23030 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23031 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23032 + pax_close_kernel();
23034 local_irq_restore(flags);
23036 switch (return_code) {
23038 - return address + entry;
23039 - case 0x80: /* Not present */
23040 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23042 - default: /* Shouldn't happen */
23043 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23044 - service, return_code);
23047 + unsigned char flags;
23049 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23050 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23051 + printk(KERN_WARNING "bios32_service: not valid\n");
23054 + address = address + PAGE_OFFSET;
23055 + length += 16UL; /* some BIOSs underreport this... */
23057 + if (length >= 64*1024*1024) {
23058 + length >>= PAGE_SHIFT;
23062 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23063 + gdt = get_cpu_gdt_table(cpu);
23064 + pack_descriptor(&d, address, length, 0x9b, flags);
23065 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23066 + pack_descriptor(&d, address, length, 0x93, flags);
23067 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23071 + case 0x80: /* Not present */
23072 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23074 + default: /* Shouldn't happen */
23075 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23076 + service, return_code);
23082 unsigned long address;
23083 unsigned short segment;
23084 -} pci_indirect = { 0, __KERNEL_CS };
23085 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23087 -static int pci_bios_present;
23088 +static int pci_bios_present __read_only;
23090 static int __devinit check_pcibios(void)
23092 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
23093 unsigned long flags, pcibios_entry;
23095 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23096 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23097 + pci_indirect.address = pcibios_entry;
23099 local_irq_save(flags);
23101 - "lcall *(%%edi); cld\n\t"
23102 + __asm__("movw %w6, %%ds\n\t"
23103 + "lcall *%%ss:(%%edi); cld\n\t"
23109 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
23112 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23113 - "D" (&pci_indirect)
23114 + "D" (&pci_indirect),
23115 + "r" (__PCIBIOS_DS)
23117 local_irq_restore(flags);
23119 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
23123 - __asm__("lcall *(%%esi); cld\n\t"
23124 + __asm__("movw %w6, %%ds\n\t"
23125 + "lcall *%%ss:(%%esi); cld\n\t"
23131 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
23132 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23135 - "S" (&pci_indirect));
23136 + "S" (&pci_indirect),
23137 + "r" (__PCIBIOS_DS));
23139 * Zero-extend the result beyond 8 bits, do not trust the
23140 * BIOS having done it:
23141 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
23145 - __asm__("lcall *(%%esi); cld\n\t"
23146 + __asm__("movw %w6, %%ds\n\t"
23147 + "lcall *%%ss:(%%esi); cld\n\t"
23153 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
23154 : "1" (PCIBIOS_READ_CONFIG_WORD),
23157 - "S" (&pci_indirect));
23158 + "S" (&pci_indirect),
23159 + "r" (__PCIBIOS_DS));
23161 * Zero-extend the result beyond 16 bits, do not trust the
23162 * BIOS having done it:
23163 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
23167 - __asm__("lcall *(%%esi); cld\n\t"
23168 + __asm__("movw %w6, %%ds\n\t"
23169 + "lcall *%%ss:(%%esi); cld\n\t"
23175 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
23176 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23179 - "S" (&pci_indirect));
23180 + "S" (&pci_indirect),
23181 + "r" (__PCIBIOS_DS));
23185 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
23189 - __asm__("lcall *(%%esi); cld\n\t"
23190 + __asm__("movw %w6, %%ds\n\t"
23191 + "lcall *%%ss:(%%esi); cld\n\t"
23197 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
23201 - "S" (&pci_indirect));
23202 + "S" (&pci_indirect),
23203 + "r" (__PCIBIOS_DS));
23206 - __asm__("lcall *(%%esi); cld\n\t"
23207 + __asm__("movw %w6, %%ds\n\t"
23208 + "lcall *%%ss:(%%esi); cld\n\t"
23214 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
23218 - "S" (&pci_indirect));
23219 + "S" (&pci_indirect),
23220 + "r" (__PCIBIOS_DS));
23223 - __asm__("lcall *(%%esi); cld\n\t"
23224 + __asm__("movw %w6, %%ds\n\t"
23225 + "lcall *%%ss:(%%esi); cld\n\t"
23231 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
23235 - "S" (&pci_indirect));
23236 + "S" (&pci_indirect),
23237 + "r" (__PCIBIOS_DS));
23241 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
23242 * Function table for BIOS32 access
23245 -static struct pci_raw_ops pci_bios_access = {
23246 +static const struct pci_raw_ops pci_bios_access = {
23247 .read = pci_bios_read,
23248 .write = pci_bios_write
23250 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
23251 * Try to find PCI BIOS.
23254 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23255 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23257 union bios32 *check;
23259 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
23261 DBG("PCI: Fetching IRQ routing table... ");
23262 __asm__("push %%es\n\t"
23263 + "movw %w8, %%ds\n\t"
23266 - "lcall *(%%esi); cld\n\t"
23267 + "lcall *%%ss:(%%esi); cld\n\t"
23274 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
23277 "S" (&pci_indirect),
23280 + "r" (__PCIBIOS_DS)
23282 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23284 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
23288 - __asm__("lcall *(%%esi); cld\n\t"
23289 + __asm__("movw %w5, %%ds\n\t"
23290 + "lcall *%%ss:(%%esi); cld\n\t"
23296 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
23297 : "0" (PCIBIOS_SET_PCI_HW_INT),
23298 "b" ((dev->bus->number << 8) | dev->devfn),
23299 "c" ((irq << 8) | (pin + 10)),
23300 - "S" (&pci_indirect));
23301 + "S" (&pci_indirect),
23302 + "r" (__PCIBIOS_DS));
23303 return !(ret & 0xff00);
23305 EXPORT_SYMBOL(pcibios_set_irq_routing);
23306 diff -urNp linux-2.6.32.43/arch/x86/power/cpu.c linux-2.6.32.43/arch/x86/power/cpu.c
23307 --- linux-2.6.32.43/arch/x86/power/cpu.c 2011-03-27 14:31:47.000000000 -0400
23308 +++ linux-2.6.32.43/arch/x86/power/cpu.c 2011-04-17 15:56:46.000000000 -0400
23309 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
23310 static void fix_processor_context(void)
23312 int cpu = smp_processor_id();
23313 - struct tss_struct *t = &per_cpu(init_tss, cpu);
23314 + struct tss_struct *t = init_tss + cpu;
23316 set_tss_desc(cpu, t); /*
23317 * This just modifies memory; should not be
23318 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
23321 #ifdef CONFIG_X86_64
23322 + pax_open_kernel();
23323 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
23324 + pax_close_kernel();
23326 syscall_init(); /* This sets MSR_*STAR and related */
23328 diff -urNp linux-2.6.32.43/arch/x86/vdso/Makefile linux-2.6.32.43/arch/x86/vdso/Makefile
23329 --- linux-2.6.32.43/arch/x86/vdso/Makefile 2011-03-27 14:31:47.000000000 -0400
23330 +++ linux-2.6.32.43/arch/x86/vdso/Makefile 2011-04-17 15:56:46.000000000 -0400
23331 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
23332 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
23333 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
23335 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23336 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23340 diff -urNp linux-2.6.32.43/arch/x86/vdso/vclock_gettime.c linux-2.6.32.43/arch/x86/vdso/vclock_gettime.c
23341 --- linux-2.6.32.43/arch/x86/vdso/vclock_gettime.c 2011-03-27 14:31:47.000000000 -0400
23342 +++ linux-2.6.32.43/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:56:46.000000000 -0400
23343 @@ -22,24 +22,48 @@
23344 #include <asm/hpet.h>
23345 #include <asm/unistd.h>
23346 #include <asm/io.h>
23347 +#include <asm/fixmap.h>
23348 #include "vextern.h"
23350 #define gtod vdso_vsyscall_gtod_data
23352 +notrace noinline long __vdso_fallback_time(long *t)
23355 + asm volatile("syscall"
23357 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
23361 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
23364 asm("syscall" : "=a" (ret) :
23365 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
23366 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
23370 +notrace static inline cycle_t __vdso_vread_hpet(void)
23372 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
23375 +notrace static inline cycle_t __vdso_vread_tsc(void)
23377 + cycle_t ret = (cycle_t)vget_cycles();
23379 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
23382 notrace static inline long vgetns(void)
23385 - cycles_t (*vread)(void);
23386 - vread = gtod->clock.vread;
23387 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
23388 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
23389 + v = __vdso_vread_tsc();
23391 + v = __vdso_vread_hpet();
23392 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
23393 return (v * gtod->clock.mult) >> gtod->clock.shift;
23396 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
23398 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
23400 - if (likely(gtod->sysctl_enabled))
23401 + if (likely(gtod->sysctl_enabled &&
23402 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23403 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23405 case CLOCK_REALTIME:
23406 if (likely(gtod->clock.vread))
23407 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
23408 int clock_gettime(clockid_t, struct timespec *)
23409 __attribute__((weak, alias("__vdso_clock_gettime")));
23411 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23412 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
23415 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
23416 + asm("syscall" : "=a" (ret) :
23417 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
23421 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23423 + if (likely(gtod->sysctl_enabled &&
23424 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23425 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23427 if (likely(tv != NULL)) {
23428 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
23429 offsetof(struct timespec, tv_nsec) ||
23430 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
23434 - asm("syscall" : "=a" (ret) :
23435 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
23437 + return __vdso_fallback_gettimeofday(tv, tz);
23439 int gettimeofday(struct timeval *, struct timezone *)
23440 __attribute__((weak, alias("__vdso_gettimeofday")));
23441 diff -urNp linux-2.6.32.43/arch/x86/vdso/vdso32-setup.c linux-2.6.32.43/arch/x86/vdso/vdso32-setup.c
23442 --- linux-2.6.32.43/arch/x86/vdso/vdso32-setup.c 2011-03-27 14:31:47.000000000 -0400
23443 +++ linux-2.6.32.43/arch/x86/vdso/vdso32-setup.c 2011-04-23 12:56:10.000000000 -0400
23445 #include <asm/tlbflush.h>
23446 #include <asm/vdso.h>
23447 #include <asm/proto.h>
23448 +#include <asm/mman.h>
23452 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
23453 void enable_sep_cpu(void)
23455 int cpu = get_cpu();
23456 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
23457 + struct tss_struct *tss = init_tss + cpu;
23459 if (!boot_cpu_has(X86_FEATURE_SEP)) {
23461 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
23462 gate_vma.vm_start = FIXADDR_USER_START;
23463 gate_vma.vm_end = FIXADDR_USER_END;
23464 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
23465 - gate_vma.vm_page_prot = __P101;
23466 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
23468 * Make sure the vDSO gets into every core dump.
23469 * Dumping its contents makes post-mortem fully interpretable later
23470 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
23472 addr = VDSO_HIGH_BASE;
23474 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
23475 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
23476 if (IS_ERR_VALUE(addr)) {
23482 - current->mm->context.vdso = (void *)addr;
23483 + current->mm->context.vdso = addr;
23485 if (compat_uses_vma || !compat) {
23487 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
23490 current_thread_info()->sysenter_return =
23491 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23492 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23496 - current->mm->context.vdso = NULL;
23497 + current->mm->context.vdso = 0;
23499 up_write(&mm->mmap_sem);
23501 @@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
23503 const char *arch_vma_name(struct vm_area_struct *vma)
23505 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23506 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23509 +#ifdef CONFIG_PAX_SEGMEXEC
23510 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
23517 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
23518 struct mm_struct *mm = tsk->mm;
23520 /* Check to see if this task was created in compat vdso mode */
23521 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
23522 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
23526 diff -urNp linux-2.6.32.43/arch/x86/vdso/vdso.lds.S linux-2.6.32.43/arch/x86/vdso/vdso.lds.S
23527 --- linux-2.6.32.43/arch/x86/vdso/vdso.lds.S 2011-03-27 14:31:47.000000000 -0400
23528 +++ linux-2.6.32.43/arch/x86/vdso/vdso.lds.S 2011-06-06 17:35:35.000000000 -0400
23529 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
23530 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
23531 #include "vextern.h"
23534 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
23535 +VEXTERN(fallback_gettimeofday)
23536 +VEXTERN(fallback_time)
23539 diff -urNp linux-2.6.32.43/arch/x86/vdso/vextern.h linux-2.6.32.43/arch/x86/vdso/vextern.h
23540 --- linux-2.6.32.43/arch/x86/vdso/vextern.h 2011-03-27 14:31:47.000000000 -0400
23541 +++ linux-2.6.32.43/arch/x86/vdso/vextern.h 2011-04-17 15:56:46.000000000 -0400
23543 put into vextern.h and be referenced as a pointer with vdso prefix.
23544 The main kernel later fills in the values. */
23547 VEXTERN(vgetcpu_mode)
23548 VEXTERN(vsyscall_gtod_data)
23549 diff -urNp linux-2.6.32.43/arch/x86/vdso/vma.c linux-2.6.32.43/arch/x86/vdso/vma.c
23550 --- linux-2.6.32.43/arch/x86/vdso/vma.c 2011-03-27 14:31:47.000000000 -0400
23551 +++ linux-2.6.32.43/arch/x86/vdso/vma.c 2011-04-17 15:56:46.000000000 -0400
23552 @@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
23556 - if (memcmp(vbase, "\177ELF", 4)) {
23557 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
23558 printk("VDSO: I'm broken; not ELF\n");
23561 @@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
23562 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
23563 #include "vextern.h"
23569 @@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
23573 - current->mm->context.vdso = (void *)addr;
23574 + current->mm->context.vdso = addr;
23576 ret = install_special_mapping(mm, addr, vdso_size,
23578 @@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
23582 - current->mm->context.vdso = NULL;
23583 + current->mm->context.vdso = 0;
23587 @@ -132,10 +133,3 @@ up_fail:
23588 up_write(&mm->mmap_sem);
23592 -static __init int vdso_setup(char *s)
23594 - vdso_enabled = simple_strtoul(s, NULL, 0);
23597 -__setup("vdso=", vdso_setup);
23598 diff -urNp linux-2.6.32.43/arch/x86/xen/enlighten.c linux-2.6.32.43/arch/x86/xen/enlighten.c
23599 --- linux-2.6.32.43/arch/x86/xen/enlighten.c 2011-03-27 14:31:47.000000000 -0400
23600 +++ linux-2.6.32.43/arch/x86/xen/enlighten.c 2011-05-22 23:02:03.000000000 -0400
23601 @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
23603 struct shared_info xen_dummy_shared_info;
23605 -void *xen_initial_gdt;
23608 * Point at some empty memory to start with. We map the real shared_info
23609 * page as soon as fixmap is up and running.
23610 @@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
23614 - start = __get_cpu_var(idt_desc).address;
23615 + start = (unsigned long)__get_cpu_var(idt_desc).address;
23616 end = start + __get_cpu_var(idt_desc).size + 1;
23619 @@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
23623 -static void xen_reboot(int reason)
23624 +static __noreturn void xen_reboot(int reason)
23626 struct sched_shutdown r = { .reason = reason };
23628 @@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
23632 -static void xen_restart(char *msg)
23633 +static __noreturn void xen_restart(char *msg)
23635 xen_reboot(SHUTDOWN_reboot);
23638 -static void xen_emergency_restart(void)
23639 +static __noreturn void xen_emergency_restart(void)
23641 xen_reboot(SHUTDOWN_reboot);
23644 -static void xen_machine_halt(void)
23645 +static __noreturn void xen_machine_halt(void)
23647 xen_reboot(SHUTDOWN_poweroff);
23649 @@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
23651 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
23653 -#ifdef CONFIG_X86_64
23654 /* Work out if we support NX */
23656 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23657 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
23658 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
23661 +#ifdef CONFIG_X86_PAE
23664 + __supported_pte_mask |= _PAGE_NX;
23665 + rdmsr(MSR_EFER, l, h);
23667 + wrmsr(MSR_EFER, l, h);
23671 xen_setup_features();
23672 @@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
23674 machine_ops = xen_machine_ops;
23677 - * The only reliable way to retain the initial address of the
23678 - * percpu gdt_page is to remember it here, so we can go and
23679 - * mark it RW later, when the initial percpu area is freed.
23681 - xen_initial_gdt = &per_cpu(gdt_page, 0);
23685 pgd = (pgd_t *)xen_start_info->pt_base;
23686 diff -urNp linux-2.6.32.43/arch/x86/xen/mmu.c linux-2.6.32.43/arch/x86/xen/mmu.c
23687 --- linux-2.6.32.43/arch/x86/xen/mmu.c 2011-07-13 17:23:04.000000000 -0400
23688 +++ linux-2.6.32.43/arch/x86/xen/mmu.c 2011-07-13 17:23:18.000000000 -0400
23689 @@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
23690 convert_pfn_mfn(init_level4_pgt);
23691 convert_pfn_mfn(level3_ident_pgt);
23692 convert_pfn_mfn(level3_kernel_pgt);
23693 + convert_pfn_mfn(level3_vmalloc_pgt);
23694 + convert_pfn_mfn(level3_vmemmap_pgt);
23696 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
23697 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
23698 @@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
23699 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
23700 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
23701 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
23702 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
23703 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
23704 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
23705 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
23706 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
23707 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
23709 diff -urNp linux-2.6.32.43/arch/x86/xen/smp.c linux-2.6.32.43/arch/x86/xen/smp.c
23710 --- linux-2.6.32.43/arch/x86/xen/smp.c 2011-03-27 14:31:47.000000000 -0400
23711 +++ linux-2.6.32.43/arch/x86/xen/smp.c 2011-05-11 18:25:15.000000000 -0400
23712 @@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
23714 BUG_ON(smp_processor_id() != 0);
23715 native_smp_prepare_boot_cpu();
23717 - /* We've switched to the "real" per-cpu gdt, so make sure the
23718 - old memory can be recycled */
23719 - make_lowmem_page_readwrite(xen_initial_gdt);
23721 xen_setup_vcpu_info_placement();
23724 @@ -231,12 +226,12 @@ cpu_initialize_context(unsigned int cpu,
23725 gdt = get_cpu_gdt_table(cpu);
23727 ctxt->flags = VGCF_IN_KERNEL;
23728 - ctxt->user_regs.ds = __USER_DS;
23729 - ctxt->user_regs.es = __USER_DS;
23730 + ctxt->user_regs.ds = __KERNEL_DS;
23731 + ctxt->user_regs.es = __KERNEL_DS;
23732 ctxt->user_regs.ss = __KERNEL_DS;
23733 #ifdef CONFIG_X86_32
23734 ctxt->user_regs.fs = __KERNEL_PERCPU;
23735 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
23736 + savesegment(gs, ctxt->user_regs.gs);
23738 ctxt->gs_base_kernel = per_cpu_offset(cpu);
23740 @@ -287,13 +282,12 @@ static int __cpuinit xen_cpu_up(unsigned
23743 per_cpu(current_task, cpu) = idle;
23744 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
23745 #ifdef CONFIG_X86_32
23748 clear_tsk_thread_flag(idle, TIF_FORK);
23749 - per_cpu(kernel_stack, cpu) =
23750 - (unsigned long)task_stack_page(idle) -
23751 - KERNEL_STACK_OFFSET + THREAD_SIZE;
23752 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
23754 xen_setup_runstate_info(cpu);
23755 xen_setup_timer(cpu);
23756 diff -urNp linux-2.6.32.43/arch/x86/xen/xen-asm_32.S linux-2.6.32.43/arch/x86/xen/xen-asm_32.S
23757 --- linux-2.6.32.43/arch/x86/xen/xen-asm_32.S 2011-03-27 14:31:47.000000000 -0400
23758 +++ linux-2.6.32.43/arch/x86/xen/xen-asm_32.S 2011-04-22 19:13:13.000000000 -0400
23759 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
23760 ESP_OFFSET=4 # bytes pushed onto stack
23763 - * Store vcpu_info pointer for easy access. Do it this way to
23764 - * avoid having to reload %fs
23765 + * Store vcpu_info pointer for easy access.
23768 - GET_THREAD_INFO(%eax)
23769 - movl TI_cpu(%eax), %eax
23770 - movl __per_cpu_offset(,%eax,4), %eax
23771 - mov per_cpu__xen_vcpu(%eax), %eax
23773 + mov $(__KERNEL_PERCPU), %eax
23775 + mov PER_CPU_VAR(xen_vcpu), %eax
23778 movl per_cpu__xen_vcpu, %eax
23780 diff -urNp linux-2.6.32.43/arch/x86/xen/xen-head.S linux-2.6.32.43/arch/x86/xen/xen-head.S
23781 --- linux-2.6.32.43/arch/x86/xen/xen-head.S 2011-03-27 14:31:47.000000000 -0400
23782 +++ linux-2.6.32.43/arch/x86/xen/xen-head.S 2011-04-17 15:56:46.000000000 -0400
23783 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
23784 #ifdef CONFIG_X86_32
23785 mov %esi,xen_start_info
23786 mov $init_thread_union+THREAD_SIZE,%esp
23788 + movl $cpu_gdt_table,%edi
23789 + movl $__per_cpu_load,%eax
23790 + movw %ax,__KERNEL_PERCPU + 2(%edi)
23792 + movb %al,__KERNEL_PERCPU + 4(%edi)
23793 + movb %ah,__KERNEL_PERCPU + 7(%edi)
23794 + movl $__per_cpu_end - 1,%eax
23795 + subl $__per_cpu_start,%eax
23796 + movw %ax,__KERNEL_PERCPU + 0(%edi)
23799 mov %rsi,xen_start_info
23800 mov $init_thread_union+THREAD_SIZE,%rsp
23801 diff -urNp linux-2.6.32.43/arch/x86/xen/xen-ops.h linux-2.6.32.43/arch/x86/xen/xen-ops.h
23802 --- linux-2.6.32.43/arch/x86/xen/xen-ops.h 2011-03-27 14:31:47.000000000 -0400
23803 +++ linux-2.6.32.43/arch/x86/xen/xen-ops.h 2011-04-17 15:56:46.000000000 -0400
23805 extern const char xen_hypervisor_callback[];
23806 extern const char xen_failsafe_callback[];
23808 -extern void *xen_initial_gdt;
23811 void xen_copy_trap_info(struct trap_info *traps);
23813 diff -urNp linux-2.6.32.43/block/blk-integrity.c linux-2.6.32.43/block/blk-integrity.c
23814 --- linux-2.6.32.43/block/blk-integrity.c 2011-03-27 14:31:47.000000000 -0400
23815 +++ linux-2.6.32.43/block/blk-integrity.c 2011-04-17 15:56:46.000000000 -0400
23816 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
23820 -static struct sysfs_ops integrity_ops = {
23821 +static const struct sysfs_ops integrity_ops = {
23822 .show = &integrity_attr_show,
23823 .store = &integrity_attr_store,
23825 diff -urNp linux-2.6.32.43/block/blk-iopoll.c linux-2.6.32.43/block/blk-iopoll.c
23826 --- linux-2.6.32.43/block/blk-iopoll.c 2011-03-27 14:31:47.000000000 -0400
23827 +++ linux-2.6.32.43/block/blk-iopoll.c 2011-04-17 15:56:46.000000000 -0400
23828 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
23830 EXPORT_SYMBOL(blk_iopoll_complete);
23832 -static void blk_iopoll_softirq(struct softirq_action *h)
23833 +static void blk_iopoll_softirq(void)
23835 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
23836 int rearm = 0, budget = blk_iopoll_budget;
23837 diff -urNp linux-2.6.32.43/block/blk-map.c linux-2.6.32.43/block/blk-map.c
23838 --- linux-2.6.32.43/block/blk-map.c 2011-03-27 14:31:47.000000000 -0400
23839 +++ linux-2.6.32.43/block/blk-map.c 2011-04-18 16:57:33.000000000 -0400
23840 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
23841 * direct dma. else, set up kernel bounce buffers
23843 uaddr = (unsigned long) ubuf;
23844 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
23845 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
23846 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
23848 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
23849 @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
23850 for (i = 0; i < iov_count; i++) {
23851 unsigned long uaddr = (unsigned long)iov[i].iov_base;
23853 + if (!iov[i].iov_len)
23856 if (uaddr & queue_dma_alignment(q)) {
23860 - if (!iov[i].iov_len)
23864 if (unaligned || (q->dma_pad_mask & len) || map_data)
23865 @@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
23869 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
23870 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
23872 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
23874 diff -urNp linux-2.6.32.43/block/blk-softirq.c linux-2.6.32.43/block/blk-softirq.c
23875 --- linux-2.6.32.43/block/blk-softirq.c 2011-03-27 14:31:47.000000000 -0400
23876 +++ linux-2.6.32.43/block/blk-softirq.c 2011-04-17 15:56:46.000000000 -0400
23877 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
23878 * Softirq action handler - move entries to local list and loop over them
23879 * while passing them to the queue registered handler.
23881 -static void blk_done_softirq(struct softirq_action *h)
23882 +static void blk_done_softirq(void)
23884 struct list_head *cpu_list, local_list;
23886 diff -urNp linux-2.6.32.43/block/blk-sysfs.c linux-2.6.32.43/block/blk-sysfs.c
23887 --- linux-2.6.32.43/block/blk-sysfs.c 2011-05-10 22:12:01.000000000 -0400
23888 +++ linux-2.6.32.43/block/blk-sysfs.c 2011-05-10 22:12:26.000000000 -0400
23889 @@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
23890 kmem_cache_free(blk_requestq_cachep, q);
23893 -static struct sysfs_ops queue_sysfs_ops = {
23894 +static const struct sysfs_ops queue_sysfs_ops = {
23895 .show = queue_attr_show,
23896 .store = queue_attr_store,
23898 diff -urNp linux-2.6.32.43/block/bsg.c linux-2.6.32.43/block/bsg.c
23899 --- linux-2.6.32.43/block/bsg.c 2011-03-27 14:31:47.000000000 -0400
23900 +++ linux-2.6.32.43/block/bsg.c 2011-04-17 15:56:46.000000000 -0400
23901 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
23902 struct sg_io_v4 *hdr, struct bsg_device *bd,
23903 fmode_t has_write_perm)
23905 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23906 + unsigned char *cmdptr;
23908 if (hdr->request_len > BLK_MAX_CDB) {
23909 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
23913 + cmdptr = rq->cmd;
23917 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
23918 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
23922 + if (cmdptr != rq->cmd)
23923 + memcpy(rq->cmd, cmdptr, hdr->request_len);
23925 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
23926 if (blk_verify_command(rq->cmd, has_write_perm))
23928 diff -urNp linux-2.6.32.43/block/elevator.c linux-2.6.32.43/block/elevator.c
23929 --- linux-2.6.32.43/block/elevator.c 2011-03-27 14:31:47.000000000 -0400
23930 +++ linux-2.6.32.43/block/elevator.c 2011-04-17 15:56:46.000000000 -0400
23931 @@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
23935 -static struct sysfs_ops elv_sysfs_ops = {
23936 +static const struct sysfs_ops elv_sysfs_ops = {
23937 .show = elv_attr_show,
23938 .store = elv_attr_store,
23940 diff -urNp linux-2.6.32.43/block/scsi_ioctl.c linux-2.6.32.43/block/scsi_ioctl.c
23941 --- linux-2.6.32.43/block/scsi_ioctl.c 2011-03-27 14:31:47.000000000 -0400
23942 +++ linux-2.6.32.43/block/scsi_ioctl.c 2011-04-23 13:28:22.000000000 -0400
23943 @@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
23944 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23945 struct sg_io_hdr *hdr, fmode_t mode)
23947 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23948 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23949 + unsigned char *cmdptr;
23951 + if (rq->cmd != rq->__cmd)
23952 + cmdptr = rq->cmd;
23956 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23959 + if (cmdptr != rq->cmd)
23960 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23962 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23965 @@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
23967 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23968 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23969 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23970 + unsigned char *cmdptr;
23974 @@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
23977 rq->cmd_len = cmdlen;
23978 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
23980 + if (rq->cmd != rq->__cmd)
23981 + cmdptr = rq->cmd;
23985 + if (copy_from_user(cmdptr, sic->data, cmdlen))
23988 + if (rq->cmd != cmdptr)
23989 + memcpy(rq->cmd, cmdptr, cmdlen);
23991 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23994 diff -urNp linux-2.6.32.43/crypto/cryptd.c linux-2.6.32.43/crypto/cryptd.c
23995 --- linux-2.6.32.43/crypto/cryptd.c 2011-03-27 14:31:47.000000000 -0400
23996 +++ linux-2.6.32.43/crypto/cryptd.c 2011-08-05 20:33:55.000000000 -0400
23997 @@ -214,7 +214,7 @@ static int cryptd_blkcipher_enqueue(stru
23998 struct cryptd_queue *queue;
24000 queue = cryptd_get_queue(crypto_ablkcipher_tfm(tfm));
24001 - rctx->complete = req->base.complete;
24002 + *(void **)&rctx->complete = req->base.complete;
24003 req->base.complete = complete;
24005 return cryptd_enqueue_request(queue, &req->base);
24006 diff -urNp linux-2.6.32.43/crypto/gf128mul.c linux-2.6.32.43/crypto/gf128mul.c
24007 --- linux-2.6.32.43/crypto/gf128mul.c 2011-03-27 14:31:47.000000000 -0400
24008 +++ linux-2.6.32.43/crypto/gf128mul.c 2011-07-06 19:53:33.000000000 -0400
24009 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24010 for (i = 0; i < 7; ++i)
24011 gf128mul_x_lle(&p[i + 1], &p[i]);
24013 - memset(r, 0, sizeof(r));
24014 + memset(r, 0, sizeof(*r));
24016 u8 ch = ((u8 *)b)[15 - i];
24018 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24019 for (i = 0; i < 7; ++i)
24020 gf128mul_x_bbe(&p[i + 1], &p[i]);
24022 - memset(r, 0, sizeof(r));
24023 + memset(r, 0, sizeof(*r));
24025 u8 ch = ((u8 *)b)[i];
24027 diff -urNp linux-2.6.32.43/crypto/serpent.c linux-2.6.32.43/crypto/serpent.c
24028 --- linux-2.6.32.43/crypto/serpent.c 2011-03-27 14:31:47.000000000 -0400
24029 +++ linux-2.6.32.43/crypto/serpent.c 2011-05-16 21:46:57.000000000 -0400
24030 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
24031 u32 r0,r1,r2,r3,r4;
24034 + pax_track_stack();
24036 /* Copy key, add padding */
24038 for (i = 0; i < keylen; ++i)
24039 diff -urNp linux-2.6.32.43/Documentation/dontdiff linux-2.6.32.43/Documentation/dontdiff
24040 --- linux-2.6.32.43/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400
24041 +++ linux-2.6.32.43/Documentation/dontdiff 2011-05-18 20:09:36.000000000 -0400
24070 @@ -49,11 +54,16 @@
24087 @@ -76,7 +86,11 @@ btfixupprep
24091 +capability_names.h
24099 @@ -103,13 +117,14 @@ gen_crc32table
24106 initramfs_data.cpio
24107 +initramfs_data.cpio.bz2
24108 initramfs_data.cpio.gz
24115 @@ -133,7 +148,9 @@ mkboot
24125 @@ -149,6 +166,7 @@ patches*
24133 @@ -157,12 +175,15 @@ qconf
24149 @@ -186,14 +207,20 @@ version.h*
24170 diff -urNp linux-2.6.32.43/Documentation/kernel-parameters.txt linux-2.6.32.43/Documentation/kernel-parameters.txt
24171 --- linux-2.6.32.43/Documentation/kernel-parameters.txt 2011-03-27 14:31:47.000000000 -0400
24172 +++ linux-2.6.32.43/Documentation/kernel-parameters.txt 2011-04-17 15:56:45.000000000 -0400
24173 @@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
24174 the specified number of seconds. This is to be used if
24175 your oopses keep scrolling off the screen.
24177 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24178 + virtualization environments that don't cope well with the
24179 + expand down segment used by UDEREF on X86-32 or the frequent
24180 + page table updates on X86-64.
24182 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24187 diff -urNp linux-2.6.32.43/drivers/acpi/acpi_pad.c linux-2.6.32.43/drivers/acpi/acpi_pad.c
24188 --- linux-2.6.32.43/drivers/acpi/acpi_pad.c 2011-03-27 14:31:47.000000000 -0400
24189 +++ linux-2.6.32.43/drivers/acpi/acpi_pad.c 2011-04-17 15:56:46.000000000 -0400
24191 #include <acpi/acpi_bus.h>
24192 #include <acpi/acpi_drivers.h>
24194 -#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
24195 +#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
24196 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
24197 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
24198 static DEFINE_MUTEX(isolated_cpus_lock);
24199 diff -urNp linux-2.6.32.43/drivers/acpi/battery.c linux-2.6.32.43/drivers/acpi/battery.c
24200 --- linux-2.6.32.43/drivers/acpi/battery.c 2011-03-27 14:31:47.000000000 -0400
24201 +++ linux-2.6.32.43/drivers/acpi/battery.c 2011-04-17 15:56:46.000000000 -0400
24202 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24205 static struct battery_file {
24206 - struct file_operations ops;
24207 + const struct file_operations ops;
24210 } acpi_battery_file[] = {
24211 diff -urNp linux-2.6.32.43/drivers/acpi/dock.c linux-2.6.32.43/drivers/acpi/dock.c
24212 --- linux-2.6.32.43/drivers/acpi/dock.c 2011-03-27 14:31:47.000000000 -0400
24213 +++ linux-2.6.32.43/drivers/acpi/dock.c 2011-04-17 15:56:46.000000000 -0400
24214 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24215 struct list_head list;
24216 struct list_head hotplug_list;
24217 acpi_handle handle;
24218 - struct acpi_dock_ops *ops;
24219 + const struct acpi_dock_ops *ops;
24223 @@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
24224 * the dock driver after _DCK is executed.
24227 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
24228 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
24231 struct dock_dependent_device *dd;
24232 diff -urNp linux-2.6.32.43/drivers/acpi/osl.c linux-2.6.32.43/drivers/acpi/osl.c
24233 --- linux-2.6.32.43/drivers/acpi/osl.c 2011-03-27 14:31:47.000000000 -0400
24234 +++ linux-2.6.32.43/drivers/acpi/osl.c 2011-04-17 15:56:46.000000000 -0400
24235 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
24236 void __iomem *virt_addr;
24238 virt_addr = ioremap(phys_addr, width);
24240 + return AE_NO_MEMORY;
24244 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
24245 void __iomem *virt_addr;
24247 virt_addr = ioremap(phys_addr, width);
24249 + return AE_NO_MEMORY;
24253 diff -urNp linux-2.6.32.43/drivers/acpi/power_meter.c linux-2.6.32.43/drivers/acpi/power_meter.c
24254 --- linux-2.6.32.43/drivers/acpi/power_meter.c 2011-03-27 14:31:47.000000000 -0400
24255 +++ linux-2.6.32.43/drivers/acpi/power_meter.c 2011-04-17 15:56:46.000000000 -0400
24256 @@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
24263 mutex_lock(&resource->lock);
24264 resource->trip[attr->index - 7] = temp;
24265 diff -urNp linux-2.6.32.43/drivers/acpi/proc.c linux-2.6.32.43/drivers/acpi/proc.c
24266 --- linux-2.6.32.43/drivers/acpi/proc.c 2011-03-27 14:31:47.000000000 -0400
24267 +++ linux-2.6.32.43/drivers/acpi/proc.c 2011-04-17 15:56:46.000000000 -0400
24268 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
24269 size_t count, loff_t * ppos)
24271 struct list_head *node, *next;
24273 - char str[5] = "";
24274 - unsigned int len = count;
24275 + char strbuf[5] = {0};
24276 struct acpi_device *found_dev = NULL;
24285 - if (copy_from_user(strbuf, buffer, len))
24286 + if (copy_from_user(strbuf, buffer, count))
24288 - strbuf[len] = '\0';
24289 - sscanf(strbuf, "%s", str);
24290 + strbuf[count] = '\0';
24292 mutex_lock(&acpi_device_lock);
24293 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
24294 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
24295 if (!dev->wakeup.flags.valid)
24298 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
24299 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
24300 dev->wakeup.state.enabled =
24301 dev->wakeup.state.enabled ? 0 : 1;
24303 diff -urNp linux-2.6.32.43/drivers/acpi/processor_core.c linux-2.6.32.43/drivers/acpi/processor_core.c
24304 --- linux-2.6.32.43/drivers/acpi/processor_core.c 2011-03-27 14:31:47.000000000 -0400
24305 +++ linux-2.6.32.43/drivers/acpi/processor_core.c 2011-04-17 15:56:46.000000000 -0400
24306 @@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
24310 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
24311 + BUG_ON(pr->id >= nr_cpu_ids);
24315 diff -urNp linux-2.6.32.43/drivers/acpi/sbshc.c linux-2.6.32.43/drivers/acpi/sbshc.c
24316 --- linux-2.6.32.43/drivers/acpi/sbshc.c 2011-03-27 14:31:47.000000000 -0400
24317 +++ linux-2.6.32.43/drivers/acpi/sbshc.c 2011-04-17 15:56:46.000000000 -0400
24320 #define PREFIX "ACPI: "
24322 -#define ACPI_SMB_HC_CLASS "smbus_host_controller"
24323 +#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
24324 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
24326 struct acpi_smb_hc {
24327 diff -urNp linux-2.6.32.43/drivers/acpi/sleep.c linux-2.6.32.43/drivers/acpi/sleep.c
24328 --- linux-2.6.32.43/drivers/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
24329 +++ linux-2.6.32.43/drivers/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
24330 @@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
24334 -static struct platform_suspend_ops acpi_suspend_ops = {
24335 +static const struct platform_suspend_ops acpi_suspend_ops = {
24336 .valid = acpi_suspend_state_valid,
24337 .begin = acpi_suspend_begin,
24338 .prepare_late = acpi_pm_prepare,
24339 @@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
24340 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
24343 -static struct platform_suspend_ops acpi_suspend_ops_old = {
24344 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
24345 .valid = acpi_suspend_state_valid,
24346 .begin = acpi_suspend_begin_old,
24347 .prepare_late = acpi_pm_disable_gpes,
24348 @@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
24349 acpi_enable_all_runtime_gpes();
24352 -static struct platform_hibernation_ops acpi_hibernation_ops = {
24353 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
24354 .begin = acpi_hibernation_begin,
24355 .end = acpi_pm_end,
24356 .pre_snapshot = acpi_hibernation_pre_snapshot,
24357 @@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
24358 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
24361 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
24362 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
24363 .begin = acpi_hibernation_begin_old,
24364 .end = acpi_pm_end,
24365 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
24366 diff -urNp linux-2.6.32.43/drivers/acpi/video.c linux-2.6.32.43/drivers/acpi/video.c
24367 --- linux-2.6.32.43/drivers/acpi/video.c 2011-03-27 14:31:47.000000000 -0400
24368 +++ linux-2.6.32.43/drivers/acpi/video.c 2011-04-17 15:56:46.000000000 -0400
24369 @@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
24370 vd->brightness->levels[request_level]);
24373 -static struct backlight_ops acpi_backlight_ops = {
24374 +static const struct backlight_ops acpi_backlight_ops = {
24375 .get_brightness = acpi_video_get_brightness,
24376 .update_status = acpi_video_set_brightness,
24378 diff -urNp linux-2.6.32.43/drivers/ata/ahci.c linux-2.6.32.43/drivers/ata/ahci.c
24379 --- linux-2.6.32.43/drivers/ata/ahci.c 2011-03-27 14:31:47.000000000 -0400
24380 +++ linux-2.6.32.43/drivers/ata/ahci.c 2011-04-23 12:56:10.000000000 -0400
24381 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
24382 .sdev_attrs = ahci_sdev_attrs,
24385 -static struct ata_port_operations ahci_ops = {
24386 +static const struct ata_port_operations ahci_ops = {
24387 .inherits = &sata_pmp_port_ops,
24389 .qc_defer = sata_pmp_qc_defer_cmd_switch,
24390 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
24391 .port_stop = ahci_port_stop,
24394 -static struct ata_port_operations ahci_vt8251_ops = {
24395 +static const struct ata_port_operations ahci_vt8251_ops = {
24396 .inherits = &ahci_ops,
24397 .hardreset = ahci_vt8251_hardreset,
24400 -static struct ata_port_operations ahci_p5wdh_ops = {
24401 +static const struct ata_port_operations ahci_p5wdh_ops = {
24402 .inherits = &ahci_ops,
24403 .hardreset = ahci_p5wdh_hardreset,
24406 -static struct ata_port_operations ahci_sb600_ops = {
24407 +static const struct ata_port_operations ahci_sb600_ops = {
24408 .inherits = &ahci_ops,
24409 .softreset = ahci_sb600_softreset,
24410 .pmp_softreset = ahci_sb600_softreset,
24411 diff -urNp linux-2.6.32.43/drivers/ata/ata_generic.c linux-2.6.32.43/drivers/ata/ata_generic.c
24412 --- linux-2.6.32.43/drivers/ata/ata_generic.c 2011-03-27 14:31:47.000000000 -0400
24413 +++ linux-2.6.32.43/drivers/ata/ata_generic.c 2011-04-17 15:56:46.000000000 -0400
24414 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
24415 ATA_BMDMA_SHT(DRV_NAME),
24418 -static struct ata_port_operations generic_port_ops = {
24419 +static const struct ata_port_operations generic_port_ops = {
24420 .inherits = &ata_bmdma_port_ops,
24421 .cable_detect = ata_cable_unknown,
24422 .set_mode = generic_set_mode,
24423 diff -urNp linux-2.6.32.43/drivers/ata/ata_piix.c linux-2.6.32.43/drivers/ata/ata_piix.c
24424 --- linux-2.6.32.43/drivers/ata/ata_piix.c 2011-03-27 14:31:47.000000000 -0400
24425 +++ linux-2.6.32.43/drivers/ata/ata_piix.c 2011-04-23 12:56:10.000000000 -0400
24426 @@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
24427 ATA_BMDMA_SHT(DRV_NAME),
24430 -static struct ata_port_operations piix_pata_ops = {
24431 +static const struct ata_port_operations piix_pata_ops = {
24432 .inherits = &ata_bmdma32_port_ops,
24433 .cable_detect = ata_cable_40wire,
24434 .set_piomode = piix_set_piomode,
24435 @@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
24436 .prereset = piix_pata_prereset,
24439 -static struct ata_port_operations piix_vmw_ops = {
24440 +static const struct ata_port_operations piix_vmw_ops = {
24441 .inherits = &piix_pata_ops,
24442 .bmdma_status = piix_vmw_bmdma_status,
24445 -static struct ata_port_operations ich_pata_ops = {
24446 +static const struct ata_port_operations ich_pata_ops = {
24447 .inherits = &piix_pata_ops,
24448 .cable_detect = ich_pata_cable_detect,
24449 .set_dmamode = ich_set_dmamode,
24452 -static struct ata_port_operations piix_sata_ops = {
24453 +static const struct ata_port_operations piix_sata_ops = {
24454 .inherits = &ata_bmdma_port_ops,
24457 -static struct ata_port_operations piix_sidpr_sata_ops = {
24458 +static const struct ata_port_operations piix_sidpr_sata_ops = {
24459 .inherits = &piix_sata_ops,
24460 .hardreset = sata_std_hardreset,
24461 .scr_read = piix_sidpr_scr_read,
24462 diff -urNp linux-2.6.32.43/drivers/ata/libata-acpi.c linux-2.6.32.43/drivers/ata/libata-acpi.c
24463 --- linux-2.6.32.43/drivers/ata/libata-acpi.c 2011-03-27 14:31:47.000000000 -0400
24464 +++ linux-2.6.32.43/drivers/ata/libata-acpi.c 2011-04-17 15:56:46.000000000 -0400
24465 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
24466 ata_acpi_uevent(dev->link->ap, dev, event);
24469 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24470 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24471 .handler = ata_acpi_dev_notify_dock,
24472 .uevent = ata_acpi_dev_uevent,
24475 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24476 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24477 .handler = ata_acpi_ap_notify_dock,
24478 .uevent = ata_acpi_ap_uevent,
24480 diff -urNp linux-2.6.32.43/drivers/ata/libata-core.c linux-2.6.32.43/drivers/ata/libata-core.c
24481 --- linux-2.6.32.43/drivers/ata/libata-core.c 2011-03-27 14:31:47.000000000 -0400
24482 +++ linux-2.6.32.43/drivers/ata/libata-core.c 2011-08-05 20:33:55.000000000 -0400
24483 @@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
24484 struct ata_port *ap;
24487 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24488 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24492 @@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
24493 struct ata_port *ap;
24494 struct ata_link *link;
24496 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24497 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24498 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
24500 link = qc->dev->link;
24501 @@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
24505 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
24506 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
24508 static DEFINE_SPINLOCK(lock);
24509 const struct ata_port_operations *cur;
24510 @@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
24514 + pax_open_kernel();
24516 for (cur = ops->inherits; cur; cur = cur->inherits) {
24517 void **inherit = (void **)cur;
24518 @@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
24522 - ops->inherits = NULL;
24523 + *(struct ata_port_operations **)&ops->inherits = NULL;
24525 + pax_close_kernel();
24526 spin_unlock(&lock);
24529 @@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
24531 /* KILLME - the only user left is ipr */
24532 void ata_host_init(struct ata_host *host, struct device *dev,
24533 - unsigned long flags, struct ata_port_operations *ops)
24534 + unsigned long flags, const struct ata_port_operations *ops)
24536 spin_lock_init(&host->lock);
24538 @@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
24542 -struct ata_port_operations ata_dummy_port_ops = {
24543 +const struct ata_port_operations ata_dummy_port_ops = {
24544 .qc_prep = ata_noop_qc_prep,
24545 .qc_issue = ata_dummy_qc_issue,
24546 .error_handler = ata_dummy_error_handler,
24547 diff -urNp linux-2.6.32.43/drivers/ata/libata-eh.c linux-2.6.32.43/drivers/ata/libata-eh.c
24548 --- linux-2.6.32.43/drivers/ata/libata-eh.c 2011-03-27 14:31:47.000000000 -0400
24549 +++ linux-2.6.32.43/drivers/ata/libata-eh.c 2011-05-16 21:46:57.000000000 -0400
24550 @@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
24552 struct ata_link *link;
24554 + pax_track_stack();
24556 ata_for_each_link(link, ap, HOST_FIRST)
24557 ata_eh_link_report(link);
24559 @@ -3590,7 +3592,7 @@ void ata_do_eh(struct ata_port *ap, ata_
24561 void ata_std_error_handler(struct ata_port *ap)
24563 - struct ata_port_operations *ops = ap->ops;
24564 + const struct ata_port_operations *ops = ap->ops;
24565 ata_reset_fn_t hardreset = ops->hardreset;
24567 /* ignore built-in hardreset if SCR access is not available */
24568 diff -urNp linux-2.6.32.43/drivers/ata/libata-pmp.c linux-2.6.32.43/drivers/ata/libata-pmp.c
24569 --- linux-2.6.32.43/drivers/ata/libata-pmp.c 2011-03-27 14:31:47.000000000 -0400
24570 +++ linux-2.6.32.43/drivers/ata/libata-pmp.c 2011-04-17 15:56:46.000000000 -0400
24571 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
24573 static int sata_pmp_eh_recover(struct ata_port *ap)
24575 - struct ata_port_operations *ops = ap->ops;
24576 + const struct ata_port_operations *ops = ap->ops;
24577 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
24578 struct ata_link *pmp_link = &ap->link;
24579 struct ata_device *pmp_dev = pmp_link->device;
24580 diff -urNp linux-2.6.32.43/drivers/ata/pata_acpi.c linux-2.6.32.43/drivers/ata/pata_acpi.c
24581 --- linux-2.6.32.43/drivers/ata/pata_acpi.c 2011-03-27 14:31:47.000000000 -0400
24582 +++ linux-2.6.32.43/drivers/ata/pata_acpi.c 2011-04-17 15:56:46.000000000 -0400
24583 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
24584 ATA_BMDMA_SHT(DRV_NAME),
24587 -static struct ata_port_operations pacpi_ops = {
24588 +static const struct ata_port_operations pacpi_ops = {
24589 .inherits = &ata_bmdma_port_ops,
24590 .qc_issue = pacpi_qc_issue,
24591 .cable_detect = pacpi_cable_detect,
24592 diff -urNp linux-2.6.32.43/drivers/ata/pata_ali.c linux-2.6.32.43/drivers/ata/pata_ali.c
24593 --- linux-2.6.32.43/drivers/ata/pata_ali.c 2011-03-27 14:31:47.000000000 -0400
24594 +++ linux-2.6.32.43/drivers/ata/pata_ali.c 2011-04-17 15:56:46.000000000 -0400
24595 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
24596 * Port operations for PIO only ALi
24599 -static struct ata_port_operations ali_early_port_ops = {
24600 +static const struct ata_port_operations ali_early_port_ops = {
24601 .inherits = &ata_sff_port_ops,
24602 .cable_detect = ata_cable_40wire,
24603 .set_piomode = ali_set_piomode,
24604 @@ -382,7 +382,7 @@ static const struct ata_port_operations
24605 * Port operations for DMA capable ALi without cable
24608 -static struct ata_port_operations ali_20_port_ops = {
24609 +static const struct ata_port_operations ali_20_port_ops = {
24610 .inherits = &ali_dma_base_ops,
24611 .cable_detect = ata_cable_40wire,
24612 .mode_filter = ali_20_filter,
24613 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
24615 * Port operations for DMA capable ALi with cable detect
24617 -static struct ata_port_operations ali_c2_port_ops = {
24618 +static const struct ata_port_operations ali_c2_port_ops = {
24619 .inherits = &ali_dma_base_ops,
24620 .check_atapi_dma = ali_check_atapi_dma,
24621 .cable_detect = ali_c2_cable_detect,
24622 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
24624 * Port operations for DMA capable ALi with cable detect
24626 -static struct ata_port_operations ali_c4_port_ops = {
24627 +static const struct ata_port_operations ali_c4_port_ops = {
24628 .inherits = &ali_dma_base_ops,
24629 .check_atapi_dma = ali_check_atapi_dma,
24630 .cable_detect = ali_c2_cable_detect,
24631 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
24633 * Port operations for DMA capable ALi with cable detect and LBA48
24635 -static struct ata_port_operations ali_c5_port_ops = {
24636 +static const struct ata_port_operations ali_c5_port_ops = {
24637 .inherits = &ali_dma_base_ops,
24638 .check_atapi_dma = ali_check_atapi_dma,
24639 .dev_config = ali_warn_atapi_dma,
24640 diff -urNp linux-2.6.32.43/drivers/ata/pata_amd.c linux-2.6.32.43/drivers/ata/pata_amd.c
24641 --- linux-2.6.32.43/drivers/ata/pata_amd.c 2011-03-27 14:31:47.000000000 -0400
24642 +++ linux-2.6.32.43/drivers/ata/pata_amd.c 2011-04-17 15:56:46.000000000 -0400
24643 @@ -397,28 +397,28 @@ static const struct ata_port_operations
24644 .prereset = amd_pre_reset,
24647 -static struct ata_port_operations amd33_port_ops = {
24648 +static const struct ata_port_operations amd33_port_ops = {
24649 .inherits = &amd_base_port_ops,
24650 .cable_detect = ata_cable_40wire,
24651 .set_piomode = amd33_set_piomode,
24652 .set_dmamode = amd33_set_dmamode,
24655 -static struct ata_port_operations amd66_port_ops = {
24656 +static const struct ata_port_operations amd66_port_ops = {
24657 .inherits = &amd_base_port_ops,
24658 .cable_detect = ata_cable_unknown,
24659 .set_piomode = amd66_set_piomode,
24660 .set_dmamode = amd66_set_dmamode,
24663 -static struct ata_port_operations amd100_port_ops = {
24664 +static const struct ata_port_operations amd100_port_ops = {
24665 .inherits = &amd_base_port_ops,
24666 .cable_detect = ata_cable_unknown,
24667 .set_piomode = amd100_set_piomode,
24668 .set_dmamode = amd100_set_dmamode,
24671 -static struct ata_port_operations amd133_port_ops = {
24672 +static const struct ata_port_operations amd133_port_ops = {
24673 .inherits = &amd_base_port_ops,
24674 .cable_detect = amd_cable_detect,
24675 .set_piomode = amd133_set_piomode,
24676 @@ -433,13 +433,13 @@ static const struct ata_port_operations
24677 .host_stop = nv_host_stop,
24680 -static struct ata_port_operations nv100_port_ops = {
24681 +static const struct ata_port_operations nv100_port_ops = {
24682 .inherits = &nv_base_port_ops,
24683 .set_piomode = nv100_set_piomode,
24684 .set_dmamode = nv100_set_dmamode,
24687 -static struct ata_port_operations nv133_port_ops = {
24688 +static const struct ata_port_operations nv133_port_ops = {
24689 .inherits = &nv_base_port_ops,
24690 .set_piomode = nv133_set_piomode,
24691 .set_dmamode = nv133_set_dmamode,
24692 diff -urNp linux-2.6.32.43/drivers/ata/pata_artop.c linux-2.6.32.43/drivers/ata/pata_artop.c
24693 --- linux-2.6.32.43/drivers/ata/pata_artop.c 2011-03-27 14:31:47.000000000 -0400
24694 +++ linux-2.6.32.43/drivers/ata/pata_artop.c 2011-04-17 15:56:46.000000000 -0400
24695 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
24696 ATA_BMDMA_SHT(DRV_NAME),
24699 -static struct ata_port_operations artop6210_ops = {
24700 +static const struct ata_port_operations artop6210_ops = {
24701 .inherits = &ata_bmdma_port_ops,
24702 .cable_detect = ata_cable_40wire,
24703 .set_piomode = artop6210_set_piomode,
24704 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
24705 .qc_defer = artop6210_qc_defer,
24708 -static struct ata_port_operations artop6260_ops = {
24709 +static const struct ata_port_operations artop6260_ops = {
24710 .inherits = &ata_bmdma_port_ops,
24711 .cable_detect = artop6260_cable_detect,
24712 .set_piomode = artop6260_set_piomode,
24713 diff -urNp linux-2.6.32.43/drivers/ata/pata_at32.c linux-2.6.32.43/drivers/ata/pata_at32.c
24714 --- linux-2.6.32.43/drivers/ata/pata_at32.c 2011-03-27 14:31:47.000000000 -0400
24715 +++ linux-2.6.32.43/drivers/ata/pata_at32.c 2011-04-17 15:56:46.000000000 -0400
24716 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
24717 ATA_PIO_SHT(DRV_NAME),
24720 -static struct ata_port_operations at32_port_ops = {
24721 +static const struct ata_port_operations at32_port_ops = {
24722 .inherits = &ata_sff_port_ops,
24723 .cable_detect = ata_cable_40wire,
24724 .set_piomode = pata_at32_set_piomode,
24725 diff -urNp linux-2.6.32.43/drivers/ata/pata_at91.c linux-2.6.32.43/drivers/ata/pata_at91.c
24726 --- linux-2.6.32.43/drivers/ata/pata_at91.c 2011-03-27 14:31:47.000000000 -0400
24727 +++ linux-2.6.32.43/drivers/ata/pata_at91.c 2011-04-17 15:56:46.000000000 -0400
24728 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
24729 ATA_PIO_SHT(DRV_NAME),
24732 -static struct ata_port_operations pata_at91_port_ops = {
24733 +static const struct ata_port_operations pata_at91_port_ops = {
24734 .inherits = &ata_sff_port_ops,
24736 .sff_data_xfer = pata_at91_data_xfer_noirq,
24737 diff -urNp linux-2.6.32.43/drivers/ata/pata_atiixp.c linux-2.6.32.43/drivers/ata/pata_atiixp.c
24738 --- linux-2.6.32.43/drivers/ata/pata_atiixp.c 2011-03-27 14:31:47.000000000 -0400
24739 +++ linux-2.6.32.43/drivers/ata/pata_atiixp.c 2011-04-17 15:56:46.000000000 -0400
24740 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
24741 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
24744 -static struct ata_port_operations atiixp_port_ops = {
24745 +static const struct ata_port_operations atiixp_port_ops = {
24746 .inherits = &ata_bmdma_port_ops,
24748 .qc_prep = ata_sff_dumb_qc_prep,
24749 diff -urNp linux-2.6.32.43/drivers/ata/pata_atp867x.c linux-2.6.32.43/drivers/ata/pata_atp867x.c
24750 --- linux-2.6.32.43/drivers/ata/pata_atp867x.c 2011-03-27 14:31:47.000000000 -0400
24751 +++ linux-2.6.32.43/drivers/ata/pata_atp867x.c 2011-04-17 15:56:46.000000000 -0400
24752 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
24753 ATA_BMDMA_SHT(DRV_NAME),
24756 -static struct ata_port_operations atp867x_ops = {
24757 +static const struct ata_port_operations atp867x_ops = {
24758 .inherits = &ata_bmdma_port_ops,
24759 .cable_detect = atp867x_cable_detect,
24760 .set_piomode = atp867x_set_piomode,
24761 diff -urNp linux-2.6.32.43/drivers/ata/pata_bf54x.c linux-2.6.32.43/drivers/ata/pata_bf54x.c
24762 --- linux-2.6.32.43/drivers/ata/pata_bf54x.c 2011-03-27 14:31:47.000000000 -0400
24763 +++ linux-2.6.32.43/drivers/ata/pata_bf54x.c 2011-04-17 15:56:46.000000000 -0400
24764 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
24765 .dma_boundary = ATA_DMA_BOUNDARY,
24768 -static struct ata_port_operations bfin_pata_ops = {
24769 +static const struct ata_port_operations bfin_pata_ops = {
24770 .inherits = &ata_sff_port_ops,
24772 .set_piomode = bfin_set_piomode,
24773 diff -urNp linux-2.6.32.43/drivers/ata/pata_cmd640.c linux-2.6.32.43/drivers/ata/pata_cmd640.c
24774 --- linux-2.6.32.43/drivers/ata/pata_cmd640.c 2011-03-27 14:31:47.000000000 -0400
24775 +++ linux-2.6.32.43/drivers/ata/pata_cmd640.c 2011-04-17 15:56:46.000000000 -0400
24776 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
24777 ATA_BMDMA_SHT(DRV_NAME),
24780 -static struct ata_port_operations cmd640_port_ops = {
24781 +static const struct ata_port_operations cmd640_port_ops = {
24782 .inherits = &ata_bmdma_port_ops,
24783 /* In theory xfer_noirq is not needed once we kill the prefetcher */
24784 .sff_data_xfer = ata_sff_data_xfer_noirq,
24785 diff -urNp linux-2.6.32.43/drivers/ata/pata_cmd64x.c linux-2.6.32.43/drivers/ata/pata_cmd64x.c
24786 --- linux-2.6.32.43/drivers/ata/pata_cmd64x.c 2011-06-25 12:55:34.000000000 -0400
24787 +++ linux-2.6.32.43/drivers/ata/pata_cmd64x.c 2011-06-25 12:56:37.000000000 -0400
24788 @@ -271,18 +271,18 @@ static const struct ata_port_operations
24789 .set_dmamode = cmd64x_set_dmamode,
24792 -static struct ata_port_operations cmd64x_port_ops = {
24793 +static const struct ata_port_operations cmd64x_port_ops = {
24794 .inherits = &cmd64x_base_ops,
24795 .cable_detect = ata_cable_40wire,
24798 -static struct ata_port_operations cmd646r1_port_ops = {
24799 +static const struct ata_port_operations cmd646r1_port_ops = {
24800 .inherits = &cmd64x_base_ops,
24801 .bmdma_stop = cmd646r1_bmdma_stop,
24802 .cable_detect = ata_cable_40wire,
24805 -static struct ata_port_operations cmd648_port_ops = {
24806 +static const struct ata_port_operations cmd648_port_ops = {
24807 .inherits = &cmd64x_base_ops,
24808 .bmdma_stop = cmd648_bmdma_stop,
24809 .cable_detect = cmd648_cable_detect,
24810 diff -urNp linux-2.6.32.43/drivers/ata/pata_cs5520.c linux-2.6.32.43/drivers/ata/pata_cs5520.c
24811 --- linux-2.6.32.43/drivers/ata/pata_cs5520.c 2011-03-27 14:31:47.000000000 -0400
24812 +++ linux-2.6.32.43/drivers/ata/pata_cs5520.c 2011-04-17 15:56:46.000000000 -0400
24813 @@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
24814 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
24817 -static struct ata_port_operations cs5520_port_ops = {
24818 +static const struct ata_port_operations cs5520_port_ops = {
24819 .inherits = &ata_bmdma_port_ops,
24820 .qc_prep = ata_sff_dumb_qc_prep,
24821 .cable_detect = ata_cable_40wire,
24822 diff -urNp linux-2.6.32.43/drivers/ata/pata_cs5530.c linux-2.6.32.43/drivers/ata/pata_cs5530.c
24823 --- linux-2.6.32.43/drivers/ata/pata_cs5530.c 2011-03-27 14:31:47.000000000 -0400
24824 +++ linux-2.6.32.43/drivers/ata/pata_cs5530.c 2011-04-17 15:56:46.000000000 -0400
24825 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
24826 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
24829 -static struct ata_port_operations cs5530_port_ops = {
24830 +static const struct ata_port_operations cs5530_port_ops = {
24831 .inherits = &ata_bmdma_port_ops,
24833 .qc_prep = ata_sff_dumb_qc_prep,
24834 diff -urNp linux-2.6.32.43/drivers/ata/pata_cs5535.c linux-2.6.32.43/drivers/ata/pata_cs5535.c
24835 --- linux-2.6.32.43/drivers/ata/pata_cs5535.c 2011-03-27 14:31:47.000000000 -0400
24836 +++ linux-2.6.32.43/drivers/ata/pata_cs5535.c 2011-04-17 15:56:46.000000000 -0400
24837 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
24838 ATA_BMDMA_SHT(DRV_NAME),
24841 -static struct ata_port_operations cs5535_port_ops = {
24842 +static const struct ata_port_operations cs5535_port_ops = {
24843 .inherits = &ata_bmdma_port_ops,
24844 .cable_detect = cs5535_cable_detect,
24845 .set_piomode = cs5535_set_piomode,
24846 diff -urNp linux-2.6.32.43/drivers/ata/pata_cs5536.c linux-2.6.32.43/drivers/ata/pata_cs5536.c
24847 --- linux-2.6.32.43/drivers/ata/pata_cs5536.c 2011-03-27 14:31:47.000000000 -0400
24848 +++ linux-2.6.32.43/drivers/ata/pata_cs5536.c 2011-04-17 15:56:46.000000000 -0400
24849 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
24850 ATA_BMDMA_SHT(DRV_NAME),
24853 -static struct ata_port_operations cs5536_port_ops = {
24854 +static const struct ata_port_operations cs5536_port_ops = {
24855 .inherits = &ata_bmdma_port_ops,
24856 .cable_detect = cs5536_cable_detect,
24857 .set_piomode = cs5536_set_piomode,
24858 diff -urNp linux-2.6.32.43/drivers/ata/pata_cypress.c linux-2.6.32.43/drivers/ata/pata_cypress.c
24859 --- linux-2.6.32.43/drivers/ata/pata_cypress.c 2011-03-27 14:31:47.000000000 -0400
24860 +++ linux-2.6.32.43/drivers/ata/pata_cypress.c 2011-04-17 15:56:46.000000000 -0400
24861 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
24862 ATA_BMDMA_SHT(DRV_NAME),
24865 -static struct ata_port_operations cy82c693_port_ops = {
24866 +static const struct ata_port_operations cy82c693_port_ops = {
24867 .inherits = &ata_bmdma_port_ops,
24868 .cable_detect = ata_cable_40wire,
24869 .set_piomode = cy82c693_set_piomode,
24870 diff -urNp linux-2.6.32.43/drivers/ata/pata_efar.c linux-2.6.32.43/drivers/ata/pata_efar.c
24871 --- linux-2.6.32.43/drivers/ata/pata_efar.c 2011-03-27 14:31:47.000000000 -0400
24872 +++ linux-2.6.32.43/drivers/ata/pata_efar.c 2011-04-17 15:56:46.000000000 -0400
24873 @@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
24874 ATA_BMDMA_SHT(DRV_NAME),
24877 -static struct ata_port_operations efar_ops = {
24878 +static const struct ata_port_operations efar_ops = {
24879 .inherits = &ata_bmdma_port_ops,
24880 .cable_detect = efar_cable_detect,
24881 .set_piomode = efar_set_piomode,
24882 diff -urNp linux-2.6.32.43/drivers/ata/pata_hpt366.c linux-2.6.32.43/drivers/ata/pata_hpt366.c
24883 --- linux-2.6.32.43/drivers/ata/pata_hpt366.c 2011-06-25 12:55:34.000000000 -0400
24884 +++ linux-2.6.32.43/drivers/ata/pata_hpt366.c 2011-06-25 12:56:37.000000000 -0400
24885 @@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
24886 * Configuration for HPT366/68
24889 -static struct ata_port_operations hpt366_port_ops = {
24890 +static const struct ata_port_operations hpt366_port_ops = {
24891 .inherits = &ata_bmdma_port_ops,
24892 .cable_detect = hpt36x_cable_detect,
24893 .mode_filter = hpt366_filter,
24894 diff -urNp linux-2.6.32.43/drivers/ata/pata_hpt37x.c linux-2.6.32.43/drivers/ata/pata_hpt37x.c
24895 --- linux-2.6.32.43/drivers/ata/pata_hpt37x.c 2011-06-25 12:55:34.000000000 -0400
24896 +++ linux-2.6.32.43/drivers/ata/pata_hpt37x.c 2011-06-25 12:56:37.000000000 -0400
24897 @@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
24898 * Configuration for HPT370
24901 -static struct ata_port_operations hpt370_port_ops = {
24902 +static const struct ata_port_operations hpt370_port_ops = {
24903 .inherits = &ata_bmdma_port_ops,
24905 .bmdma_stop = hpt370_bmdma_stop,
24906 @@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
24907 * Configuration for HPT370A. Close to 370 but less filters
24910 -static struct ata_port_operations hpt370a_port_ops = {
24911 +static const struct ata_port_operations hpt370a_port_ops = {
24912 .inherits = &hpt370_port_ops,
24913 .mode_filter = hpt370a_filter,
24915 @@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
24916 * and DMA mode setting functionality.
24919 -static struct ata_port_operations hpt372_port_ops = {
24920 +static const struct ata_port_operations hpt372_port_ops = {
24921 .inherits = &ata_bmdma_port_ops,
24923 .bmdma_stop = hpt37x_bmdma_stop,
24924 @@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
24925 * but we have a different cable detection procedure for function 1.
24928 -static struct ata_port_operations hpt374_fn1_port_ops = {
24929 +static const struct ata_port_operations hpt374_fn1_port_ops = {
24930 .inherits = &hpt372_port_ops,
24931 .prereset = hpt374_fn1_pre_reset,
24933 diff -urNp linux-2.6.32.43/drivers/ata/pata_hpt3x2n.c linux-2.6.32.43/drivers/ata/pata_hpt3x2n.c
24934 --- linux-2.6.32.43/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:55:34.000000000 -0400
24935 +++ linux-2.6.32.43/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:56:37.000000000 -0400
24936 @@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
24937 * Configuration for HPT3x2n.
24940 -static struct ata_port_operations hpt3x2n_port_ops = {
24941 +static const struct ata_port_operations hpt3x2n_port_ops = {
24942 .inherits = &ata_bmdma_port_ops,
24944 .bmdma_stop = hpt3x2n_bmdma_stop,
24945 diff -urNp linux-2.6.32.43/drivers/ata/pata_hpt3x3.c linux-2.6.32.43/drivers/ata/pata_hpt3x3.c
24946 --- linux-2.6.32.43/drivers/ata/pata_hpt3x3.c 2011-03-27 14:31:47.000000000 -0400
24947 +++ linux-2.6.32.43/drivers/ata/pata_hpt3x3.c 2011-04-17 15:56:46.000000000 -0400
24948 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
24949 ATA_BMDMA_SHT(DRV_NAME),
24952 -static struct ata_port_operations hpt3x3_port_ops = {
24953 +static const struct ata_port_operations hpt3x3_port_ops = {
24954 .inherits = &ata_bmdma_port_ops,
24955 .cable_detect = ata_cable_40wire,
24956 .set_piomode = hpt3x3_set_piomode,
24957 diff -urNp linux-2.6.32.43/drivers/ata/pata_icside.c linux-2.6.32.43/drivers/ata/pata_icside.c
24958 --- linux-2.6.32.43/drivers/ata/pata_icside.c 2011-03-27 14:31:47.000000000 -0400
24959 +++ linux-2.6.32.43/drivers/ata/pata_icside.c 2011-04-17 15:56:46.000000000 -0400
24960 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
24964 -static struct ata_port_operations pata_icside_port_ops = {
24965 +static const struct ata_port_operations pata_icside_port_ops = {
24966 .inherits = &ata_sff_port_ops,
24967 /* no need to build any PRD tables for DMA */
24968 .qc_prep = ata_noop_qc_prep,
24969 diff -urNp linux-2.6.32.43/drivers/ata/pata_isapnp.c linux-2.6.32.43/drivers/ata/pata_isapnp.c
24970 --- linux-2.6.32.43/drivers/ata/pata_isapnp.c 2011-03-27 14:31:47.000000000 -0400
24971 +++ linux-2.6.32.43/drivers/ata/pata_isapnp.c 2011-04-17 15:56:46.000000000 -0400
24972 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
24973 ATA_PIO_SHT(DRV_NAME),
24976 -static struct ata_port_operations isapnp_port_ops = {
24977 +static const struct ata_port_operations isapnp_port_ops = {
24978 .inherits = &ata_sff_port_ops,
24979 .cable_detect = ata_cable_40wire,
24982 -static struct ata_port_operations isapnp_noalt_port_ops = {
24983 +static const struct ata_port_operations isapnp_noalt_port_ops = {
24984 .inherits = &ata_sff_port_ops,
24985 .cable_detect = ata_cable_40wire,
24986 /* No altstatus so we don't want to use the lost interrupt poll */
24987 diff -urNp linux-2.6.32.43/drivers/ata/pata_it8213.c linux-2.6.32.43/drivers/ata/pata_it8213.c
24988 --- linux-2.6.32.43/drivers/ata/pata_it8213.c 2011-03-27 14:31:47.000000000 -0400
24989 +++ linux-2.6.32.43/drivers/ata/pata_it8213.c 2011-04-17 15:56:46.000000000 -0400
24990 @@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
24994 -static struct ata_port_operations it8213_ops = {
24995 +static const struct ata_port_operations it8213_ops = {
24996 .inherits = &ata_bmdma_port_ops,
24997 .cable_detect = it8213_cable_detect,
24998 .set_piomode = it8213_set_piomode,
24999 diff -urNp linux-2.6.32.43/drivers/ata/pata_it821x.c linux-2.6.32.43/drivers/ata/pata_it821x.c
25000 --- linux-2.6.32.43/drivers/ata/pata_it821x.c 2011-03-27 14:31:47.000000000 -0400
25001 +++ linux-2.6.32.43/drivers/ata/pata_it821x.c 2011-04-17 15:56:46.000000000 -0400
25002 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
25003 ATA_BMDMA_SHT(DRV_NAME),
25006 -static struct ata_port_operations it821x_smart_port_ops = {
25007 +static const struct ata_port_operations it821x_smart_port_ops = {
25008 .inherits = &ata_bmdma_port_ops,
25010 .check_atapi_dma= it821x_check_atapi_dma,
25011 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
25012 .port_start = it821x_port_start,
25015 -static struct ata_port_operations it821x_passthru_port_ops = {
25016 +static const struct ata_port_operations it821x_passthru_port_ops = {
25017 .inherits = &ata_bmdma_port_ops,
25019 .check_atapi_dma= it821x_check_atapi_dma,
25020 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
25021 .port_start = it821x_port_start,
25024 -static struct ata_port_operations it821x_rdc_port_ops = {
25025 +static const struct ata_port_operations it821x_rdc_port_ops = {
25026 .inherits = &ata_bmdma_port_ops,
25028 .check_atapi_dma= it821x_check_atapi_dma,
25029 diff -urNp linux-2.6.32.43/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.43/drivers/ata/pata_ixp4xx_cf.c
25030 --- linux-2.6.32.43/drivers/ata/pata_ixp4xx_cf.c 2011-03-27 14:31:47.000000000 -0400
25031 +++ linux-2.6.32.43/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:56:46.000000000 -0400
25032 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25033 ATA_PIO_SHT(DRV_NAME),
25036 -static struct ata_port_operations ixp4xx_port_ops = {
25037 +static const struct ata_port_operations ixp4xx_port_ops = {
25038 .inherits = &ata_sff_port_ops,
25039 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25040 .cable_detect = ata_cable_40wire,
25041 diff -urNp linux-2.6.32.43/drivers/ata/pata_jmicron.c linux-2.6.32.43/drivers/ata/pata_jmicron.c
25042 --- linux-2.6.32.43/drivers/ata/pata_jmicron.c 2011-03-27 14:31:47.000000000 -0400
25043 +++ linux-2.6.32.43/drivers/ata/pata_jmicron.c 2011-04-17 15:56:46.000000000 -0400
25044 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25045 ATA_BMDMA_SHT(DRV_NAME),
25048 -static struct ata_port_operations jmicron_ops = {
25049 +static const struct ata_port_operations jmicron_ops = {
25050 .inherits = &ata_bmdma_port_ops,
25051 .prereset = jmicron_pre_reset,
25053 diff -urNp linux-2.6.32.43/drivers/ata/pata_legacy.c linux-2.6.32.43/drivers/ata/pata_legacy.c
25054 --- linux-2.6.32.43/drivers/ata/pata_legacy.c 2011-03-27 14:31:47.000000000 -0400
25055 +++ linux-2.6.32.43/drivers/ata/pata_legacy.c 2011-04-17 15:56:46.000000000 -0400
25056 @@ -106,7 +106,7 @@ struct legacy_probe {
25058 struct legacy_controller {
25060 - struct ata_port_operations *ops;
25061 + const struct ata_port_operations *ops;
25062 unsigned int pio_mask;
25063 unsigned int flags;
25064 unsigned int pflags;
25065 @@ -223,12 +223,12 @@ static const struct ata_port_operations
25066 * pio_mask as well.
25069 -static struct ata_port_operations simple_port_ops = {
25070 +static const struct ata_port_operations simple_port_ops = {
25071 .inherits = &legacy_base_port_ops,
25072 .sff_data_xfer = ata_sff_data_xfer_noirq,
25075 -static struct ata_port_operations legacy_port_ops = {
25076 +static const struct ata_port_operations legacy_port_ops = {
25077 .inherits = &legacy_base_port_ops,
25078 .sff_data_xfer = ata_sff_data_xfer_noirq,
25079 .set_mode = legacy_set_mode,
25080 @@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
25084 -static struct ata_port_operations pdc20230_port_ops = {
25085 +static const struct ata_port_operations pdc20230_port_ops = {
25086 .inherits = &legacy_base_port_ops,
25087 .set_piomode = pdc20230_set_piomode,
25088 .sff_data_xfer = pdc_data_xfer_vlb,
25089 @@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
25090 ioread8(ap->ioaddr.status_addr);
25093 -static struct ata_port_operations ht6560a_port_ops = {
25094 +static const struct ata_port_operations ht6560a_port_ops = {
25095 .inherits = &legacy_base_port_ops,
25096 .set_piomode = ht6560a_set_piomode,
25098 @@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
25099 ioread8(ap->ioaddr.status_addr);
25102 -static struct ata_port_operations ht6560b_port_ops = {
25103 +static const struct ata_port_operations ht6560b_port_ops = {
25104 .inherits = &legacy_base_port_ops,
25105 .set_piomode = ht6560b_set_piomode,
25107 @@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
25111 -static struct ata_port_operations opti82c611a_port_ops = {
25112 +static const struct ata_port_operations opti82c611a_port_ops = {
25113 .inherits = &legacy_base_port_ops,
25114 .set_piomode = opti82c611a_set_piomode,
25116 @@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
25117 return ata_sff_qc_issue(qc);
25120 -static struct ata_port_operations opti82c46x_port_ops = {
25121 +static const struct ata_port_operations opti82c46x_port_ops = {
25122 .inherits = &legacy_base_port_ops,
25123 .set_piomode = opti82c46x_set_piomode,
25124 .qc_issue = opti82c46x_qc_issue,
25125 @@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
25129 -static struct ata_port_operations qdi6500_port_ops = {
25130 +static const struct ata_port_operations qdi6500_port_ops = {
25131 .inherits = &legacy_base_port_ops,
25132 .set_piomode = qdi6500_set_piomode,
25133 .qc_issue = qdi_qc_issue,
25134 .sff_data_xfer = vlb32_data_xfer,
25137 -static struct ata_port_operations qdi6580_port_ops = {
25138 +static const struct ata_port_operations qdi6580_port_ops = {
25139 .inherits = &legacy_base_port_ops,
25140 .set_piomode = qdi6580_set_piomode,
25141 .sff_data_xfer = vlb32_data_xfer,
25144 -static struct ata_port_operations qdi6580dp_port_ops = {
25145 +static const struct ata_port_operations qdi6580dp_port_ops = {
25146 .inherits = &legacy_base_port_ops,
25147 .set_piomode = qdi6580dp_set_piomode,
25148 .sff_data_xfer = vlb32_data_xfer,
25149 @@ -855,7 +855,7 @@ static int winbond_port(struct platform_
25153 -static struct ata_port_operations winbond_port_ops = {
25154 +static const struct ata_port_operations winbond_port_ops = {
25155 .inherits = &legacy_base_port_ops,
25156 .set_piomode = winbond_set_piomode,
25157 .sff_data_xfer = vlb32_data_xfer,
25158 @@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
25159 int pio_modes = controller->pio_mask;
25160 unsigned long io = probe->port;
25161 u32 mask = (1 << probe->slot);
25162 - struct ata_port_operations *ops = controller->ops;
25163 + const struct ata_port_operations *ops = controller->ops;
25164 struct legacy_data *ld = &legacy_data[probe->slot];
25165 struct ata_host *host = NULL;
25166 struct ata_port *ap;
25167 diff -urNp linux-2.6.32.43/drivers/ata/pata_marvell.c linux-2.6.32.43/drivers/ata/pata_marvell.c
25168 --- linux-2.6.32.43/drivers/ata/pata_marvell.c 2011-03-27 14:31:47.000000000 -0400
25169 +++ linux-2.6.32.43/drivers/ata/pata_marvell.c 2011-04-17 15:56:46.000000000 -0400
25170 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
25171 ATA_BMDMA_SHT(DRV_NAME),
25174 -static struct ata_port_operations marvell_ops = {
25175 +static const struct ata_port_operations marvell_ops = {
25176 .inherits = &ata_bmdma_port_ops,
25177 .cable_detect = marvell_cable_detect,
25178 .prereset = marvell_pre_reset,
25179 diff -urNp linux-2.6.32.43/drivers/ata/pata_mpc52xx.c linux-2.6.32.43/drivers/ata/pata_mpc52xx.c
25180 --- linux-2.6.32.43/drivers/ata/pata_mpc52xx.c 2011-03-27 14:31:47.000000000 -0400
25181 +++ linux-2.6.32.43/drivers/ata/pata_mpc52xx.c 2011-04-17 15:56:46.000000000 -0400
25182 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
25183 ATA_PIO_SHT(DRV_NAME),
25186 -static struct ata_port_operations mpc52xx_ata_port_ops = {
25187 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
25188 .inherits = &ata_bmdma_port_ops,
25189 .sff_dev_select = mpc52xx_ata_dev_select,
25190 .set_piomode = mpc52xx_ata_set_piomode,
25191 diff -urNp linux-2.6.32.43/drivers/ata/pata_mpiix.c linux-2.6.32.43/drivers/ata/pata_mpiix.c
25192 --- linux-2.6.32.43/drivers/ata/pata_mpiix.c 2011-03-27 14:31:47.000000000 -0400
25193 +++ linux-2.6.32.43/drivers/ata/pata_mpiix.c 2011-04-17 15:56:46.000000000 -0400
25194 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
25195 ATA_PIO_SHT(DRV_NAME),
25198 -static struct ata_port_operations mpiix_port_ops = {
25199 +static const struct ata_port_operations mpiix_port_ops = {
25200 .inherits = &ata_sff_port_ops,
25201 .qc_issue = mpiix_qc_issue,
25202 .cable_detect = ata_cable_40wire,
25203 diff -urNp linux-2.6.32.43/drivers/ata/pata_netcell.c linux-2.6.32.43/drivers/ata/pata_netcell.c
25204 --- linux-2.6.32.43/drivers/ata/pata_netcell.c 2011-03-27 14:31:47.000000000 -0400
25205 +++ linux-2.6.32.43/drivers/ata/pata_netcell.c 2011-04-17 15:56:46.000000000 -0400
25206 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
25207 ATA_BMDMA_SHT(DRV_NAME),
25210 -static struct ata_port_operations netcell_ops = {
25211 +static const struct ata_port_operations netcell_ops = {
25212 .inherits = &ata_bmdma_port_ops,
25213 .cable_detect = ata_cable_80wire,
25214 .read_id = netcell_read_id,
25215 diff -urNp linux-2.6.32.43/drivers/ata/pata_ninja32.c linux-2.6.32.43/drivers/ata/pata_ninja32.c
25216 --- linux-2.6.32.43/drivers/ata/pata_ninja32.c 2011-03-27 14:31:47.000000000 -0400
25217 +++ linux-2.6.32.43/drivers/ata/pata_ninja32.c 2011-04-17 15:56:46.000000000 -0400
25218 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
25219 ATA_BMDMA_SHT(DRV_NAME),
25222 -static struct ata_port_operations ninja32_port_ops = {
25223 +static const struct ata_port_operations ninja32_port_ops = {
25224 .inherits = &ata_bmdma_port_ops,
25225 .sff_dev_select = ninja32_dev_select,
25226 .cable_detect = ata_cable_40wire,
25227 diff -urNp linux-2.6.32.43/drivers/ata/pata_ns87410.c linux-2.6.32.43/drivers/ata/pata_ns87410.c
25228 --- linux-2.6.32.43/drivers/ata/pata_ns87410.c 2011-03-27 14:31:47.000000000 -0400
25229 +++ linux-2.6.32.43/drivers/ata/pata_ns87410.c 2011-04-17 15:56:46.000000000 -0400
25230 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
25231 ATA_PIO_SHT(DRV_NAME),
25234 -static struct ata_port_operations ns87410_port_ops = {
25235 +static const struct ata_port_operations ns87410_port_ops = {
25236 .inherits = &ata_sff_port_ops,
25237 .qc_issue = ns87410_qc_issue,
25238 .cable_detect = ata_cable_40wire,
25239 diff -urNp linux-2.6.32.43/drivers/ata/pata_ns87415.c linux-2.6.32.43/drivers/ata/pata_ns87415.c
25240 --- linux-2.6.32.43/drivers/ata/pata_ns87415.c 2011-03-27 14:31:47.000000000 -0400
25241 +++ linux-2.6.32.43/drivers/ata/pata_ns87415.c 2011-04-17 15:56:46.000000000 -0400
25242 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
25244 #endif /* 87560 SuperIO Support */
25246 -static struct ata_port_operations ns87415_pata_ops = {
25247 +static const struct ata_port_operations ns87415_pata_ops = {
25248 .inherits = &ata_bmdma_port_ops,
25250 .check_atapi_dma = ns87415_check_atapi_dma,
25251 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
25254 #if defined(CONFIG_SUPERIO)
25255 -static struct ata_port_operations ns87560_pata_ops = {
25256 +static const struct ata_port_operations ns87560_pata_ops = {
25257 .inherits = &ns87415_pata_ops,
25258 .sff_tf_read = ns87560_tf_read,
25259 .sff_check_status = ns87560_check_status,
25260 diff -urNp linux-2.6.32.43/drivers/ata/pata_octeon_cf.c linux-2.6.32.43/drivers/ata/pata_octeon_cf.c
25261 --- linux-2.6.32.43/drivers/ata/pata_octeon_cf.c 2011-03-27 14:31:47.000000000 -0400
25262 +++ linux-2.6.32.43/drivers/ata/pata_octeon_cf.c 2011-04-17 15:56:46.000000000 -0400
25263 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
25267 +/* cannot be const */
25268 static struct ata_port_operations octeon_cf_ops = {
25269 .inherits = &ata_sff_port_ops,
25270 .check_atapi_dma = octeon_cf_check_atapi_dma,
25271 diff -urNp linux-2.6.32.43/drivers/ata/pata_oldpiix.c linux-2.6.32.43/drivers/ata/pata_oldpiix.c
25272 --- linux-2.6.32.43/drivers/ata/pata_oldpiix.c 2011-03-27 14:31:47.000000000 -0400
25273 +++ linux-2.6.32.43/drivers/ata/pata_oldpiix.c 2011-04-17 15:56:46.000000000 -0400
25274 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
25275 ATA_BMDMA_SHT(DRV_NAME),
25278 -static struct ata_port_operations oldpiix_pata_ops = {
25279 +static const struct ata_port_operations oldpiix_pata_ops = {
25280 .inherits = &ata_bmdma_port_ops,
25281 .qc_issue = oldpiix_qc_issue,
25282 .cable_detect = ata_cable_40wire,
25283 diff -urNp linux-2.6.32.43/drivers/ata/pata_opti.c linux-2.6.32.43/drivers/ata/pata_opti.c
25284 --- linux-2.6.32.43/drivers/ata/pata_opti.c 2011-03-27 14:31:47.000000000 -0400
25285 +++ linux-2.6.32.43/drivers/ata/pata_opti.c 2011-04-17 15:56:46.000000000 -0400
25286 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
25287 ATA_PIO_SHT(DRV_NAME),
25290 -static struct ata_port_operations opti_port_ops = {
25291 +static const struct ata_port_operations opti_port_ops = {
25292 .inherits = &ata_sff_port_ops,
25293 .cable_detect = ata_cable_40wire,
25294 .set_piomode = opti_set_piomode,
25295 diff -urNp linux-2.6.32.43/drivers/ata/pata_optidma.c linux-2.6.32.43/drivers/ata/pata_optidma.c
25296 --- linux-2.6.32.43/drivers/ata/pata_optidma.c 2011-03-27 14:31:47.000000000 -0400
25297 +++ linux-2.6.32.43/drivers/ata/pata_optidma.c 2011-04-17 15:56:46.000000000 -0400
25298 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
25299 ATA_BMDMA_SHT(DRV_NAME),
25302 -static struct ata_port_operations optidma_port_ops = {
25303 +static const struct ata_port_operations optidma_port_ops = {
25304 .inherits = &ata_bmdma_port_ops,
25305 .cable_detect = ata_cable_40wire,
25306 .set_piomode = optidma_set_pio_mode,
25307 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
25308 .prereset = optidma_pre_reset,
25311 -static struct ata_port_operations optiplus_port_ops = {
25312 +static const struct ata_port_operations optiplus_port_ops = {
25313 .inherits = &optidma_port_ops,
25314 .set_piomode = optiplus_set_pio_mode,
25315 .set_dmamode = optiplus_set_dma_mode,
25316 diff -urNp linux-2.6.32.43/drivers/ata/pata_palmld.c linux-2.6.32.43/drivers/ata/pata_palmld.c
25317 --- linux-2.6.32.43/drivers/ata/pata_palmld.c 2011-03-27 14:31:47.000000000 -0400
25318 +++ linux-2.6.32.43/drivers/ata/pata_palmld.c 2011-04-17 15:56:46.000000000 -0400
25319 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
25320 ATA_PIO_SHT(DRV_NAME),
25323 -static struct ata_port_operations palmld_port_ops = {
25324 +static const struct ata_port_operations palmld_port_ops = {
25325 .inherits = &ata_sff_port_ops,
25326 .sff_data_xfer = ata_sff_data_xfer_noirq,
25327 .cable_detect = ata_cable_40wire,
25328 diff -urNp linux-2.6.32.43/drivers/ata/pata_pcmcia.c linux-2.6.32.43/drivers/ata/pata_pcmcia.c
25329 --- linux-2.6.32.43/drivers/ata/pata_pcmcia.c 2011-03-27 14:31:47.000000000 -0400
25330 +++ linux-2.6.32.43/drivers/ata/pata_pcmcia.c 2011-04-17 15:56:46.000000000 -0400
25331 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
25332 ATA_PIO_SHT(DRV_NAME),
25335 -static struct ata_port_operations pcmcia_port_ops = {
25336 +static const struct ata_port_operations pcmcia_port_ops = {
25337 .inherits = &ata_sff_port_ops,
25338 .sff_data_xfer = ata_sff_data_xfer_noirq,
25339 .cable_detect = ata_cable_40wire,
25340 .set_mode = pcmcia_set_mode,
25343 -static struct ata_port_operations pcmcia_8bit_port_ops = {
25344 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
25345 .inherits = &ata_sff_port_ops,
25346 .sff_data_xfer = ata_data_xfer_8bit,
25347 .cable_detect = ata_cable_40wire,
25348 @@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
25349 unsigned long io_base, ctl_base;
25350 void __iomem *io_addr, *ctl_addr;
25352 - struct ata_port_operations *ops = &pcmcia_port_ops;
25353 + const struct ata_port_operations *ops = &pcmcia_port_ops;
25355 info = kzalloc(sizeof(*info), GFP_KERNEL);
25357 diff -urNp linux-2.6.32.43/drivers/ata/pata_pdc2027x.c linux-2.6.32.43/drivers/ata/pata_pdc2027x.c
25358 --- linux-2.6.32.43/drivers/ata/pata_pdc2027x.c 2011-03-27 14:31:47.000000000 -0400
25359 +++ linux-2.6.32.43/drivers/ata/pata_pdc2027x.c 2011-04-17 15:56:46.000000000 -0400
25360 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
25361 ATA_BMDMA_SHT(DRV_NAME),
25364 -static struct ata_port_operations pdc2027x_pata100_ops = {
25365 +static const struct ata_port_operations pdc2027x_pata100_ops = {
25366 .inherits = &ata_bmdma_port_ops,
25367 .check_atapi_dma = pdc2027x_check_atapi_dma,
25368 .cable_detect = pdc2027x_cable_detect,
25369 .prereset = pdc2027x_prereset,
25372 -static struct ata_port_operations pdc2027x_pata133_ops = {
25373 +static const struct ata_port_operations pdc2027x_pata133_ops = {
25374 .inherits = &pdc2027x_pata100_ops,
25375 .mode_filter = pdc2027x_mode_filter,
25376 .set_piomode = pdc2027x_set_piomode,
25377 diff -urNp linux-2.6.32.43/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.43/drivers/ata/pata_pdc202xx_old.c
25378 --- linux-2.6.32.43/drivers/ata/pata_pdc202xx_old.c 2011-03-27 14:31:47.000000000 -0400
25379 +++ linux-2.6.32.43/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:56:46.000000000 -0400
25380 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
25381 ATA_BMDMA_SHT(DRV_NAME),
25384 -static struct ata_port_operations pdc2024x_port_ops = {
25385 +static const struct ata_port_operations pdc2024x_port_ops = {
25386 .inherits = &ata_bmdma_port_ops,
25388 .cable_detect = ata_cable_40wire,
25389 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
25390 .sff_exec_command = pdc202xx_exec_command,
25393 -static struct ata_port_operations pdc2026x_port_ops = {
25394 +static const struct ata_port_operations pdc2026x_port_ops = {
25395 .inherits = &pdc2024x_port_ops,
25397 .check_atapi_dma = pdc2026x_check_atapi_dma,
25398 diff -urNp linux-2.6.32.43/drivers/ata/pata_platform.c linux-2.6.32.43/drivers/ata/pata_platform.c
25399 --- linux-2.6.32.43/drivers/ata/pata_platform.c 2011-03-27 14:31:47.000000000 -0400
25400 +++ linux-2.6.32.43/drivers/ata/pata_platform.c 2011-04-17 15:56:46.000000000 -0400
25401 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
25402 ATA_PIO_SHT(DRV_NAME),
25405 -static struct ata_port_operations pata_platform_port_ops = {
25406 +static const struct ata_port_operations pata_platform_port_ops = {
25407 .inherits = &ata_sff_port_ops,
25408 .sff_data_xfer = ata_sff_data_xfer_noirq,
25409 .cable_detect = ata_cable_unknown,
25410 diff -urNp linux-2.6.32.43/drivers/ata/pata_qdi.c linux-2.6.32.43/drivers/ata/pata_qdi.c
25411 --- linux-2.6.32.43/drivers/ata/pata_qdi.c 2011-03-27 14:31:47.000000000 -0400
25412 +++ linux-2.6.32.43/drivers/ata/pata_qdi.c 2011-04-17 15:56:46.000000000 -0400
25413 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
25414 ATA_PIO_SHT(DRV_NAME),
25417 -static struct ata_port_operations qdi6500_port_ops = {
25418 +static const struct ata_port_operations qdi6500_port_ops = {
25419 .inherits = &ata_sff_port_ops,
25420 .qc_issue = qdi_qc_issue,
25421 .sff_data_xfer = qdi_data_xfer,
25422 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
25423 .set_piomode = qdi6500_set_piomode,
25426 -static struct ata_port_operations qdi6580_port_ops = {
25427 +static const struct ata_port_operations qdi6580_port_ops = {
25428 .inherits = &qdi6500_port_ops,
25429 .set_piomode = qdi6580_set_piomode,
25431 diff -urNp linux-2.6.32.43/drivers/ata/pata_radisys.c linux-2.6.32.43/drivers/ata/pata_radisys.c
25432 --- linux-2.6.32.43/drivers/ata/pata_radisys.c 2011-03-27 14:31:47.000000000 -0400
25433 +++ linux-2.6.32.43/drivers/ata/pata_radisys.c 2011-04-17 15:56:46.000000000 -0400
25434 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
25435 ATA_BMDMA_SHT(DRV_NAME),
25438 -static struct ata_port_operations radisys_pata_ops = {
25439 +static const struct ata_port_operations radisys_pata_ops = {
25440 .inherits = &ata_bmdma_port_ops,
25441 .qc_issue = radisys_qc_issue,
25442 .cable_detect = ata_cable_unknown,
25443 diff -urNp linux-2.6.32.43/drivers/ata/pata_rb532_cf.c linux-2.6.32.43/drivers/ata/pata_rb532_cf.c
25444 --- linux-2.6.32.43/drivers/ata/pata_rb532_cf.c 2011-03-27 14:31:47.000000000 -0400
25445 +++ linux-2.6.32.43/drivers/ata/pata_rb532_cf.c 2011-04-17 15:56:46.000000000 -0400
25446 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
25447 return IRQ_HANDLED;
25450 -static struct ata_port_operations rb532_pata_port_ops = {
25451 +static const struct ata_port_operations rb532_pata_port_ops = {
25452 .inherits = &ata_sff_port_ops,
25453 .sff_data_xfer = ata_sff_data_xfer32,
25455 diff -urNp linux-2.6.32.43/drivers/ata/pata_rdc.c linux-2.6.32.43/drivers/ata/pata_rdc.c
25456 --- linux-2.6.32.43/drivers/ata/pata_rdc.c 2011-03-27 14:31:47.000000000 -0400
25457 +++ linux-2.6.32.43/drivers/ata/pata_rdc.c 2011-04-17 15:56:46.000000000 -0400
25458 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
25459 pci_write_config_byte(dev, 0x48, udma_enable);
25462 -static struct ata_port_operations rdc_pata_ops = {
25463 +static const struct ata_port_operations rdc_pata_ops = {
25464 .inherits = &ata_bmdma32_port_ops,
25465 .cable_detect = rdc_pata_cable_detect,
25466 .set_piomode = rdc_set_piomode,
25467 diff -urNp linux-2.6.32.43/drivers/ata/pata_rz1000.c linux-2.6.32.43/drivers/ata/pata_rz1000.c
25468 --- linux-2.6.32.43/drivers/ata/pata_rz1000.c 2011-03-27 14:31:47.000000000 -0400
25469 +++ linux-2.6.32.43/drivers/ata/pata_rz1000.c 2011-04-17 15:56:46.000000000 -0400
25470 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
25471 ATA_PIO_SHT(DRV_NAME),
25474 -static struct ata_port_operations rz1000_port_ops = {
25475 +static const struct ata_port_operations rz1000_port_ops = {
25476 .inherits = &ata_sff_port_ops,
25477 .cable_detect = ata_cable_40wire,
25478 .set_mode = rz1000_set_mode,
25479 diff -urNp linux-2.6.32.43/drivers/ata/pata_sc1200.c linux-2.6.32.43/drivers/ata/pata_sc1200.c
25480 --- linux-2.6.32.43/drivers/ata/pata_sc1200.c 2011-03-27 14:31:47.000000000 -0400
25481 +++ linux-2.6.32.43/drivers/ata/pata_sc1200.c 2011-04-17 15:56:46.000000000 -0400
25482 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
25483 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25486 -static struct ata_port_operations sc1200_port_ops = {
25487 +static const struct ata_port_operations sc1200_port_ops = {
25488 .inherits = &ata_bmdma_port_ops,
25489 .qc_prep = ata_sff_dumb_qc_prep,
25490 .qc_issue = sc1200_qc_issue,
25491 diff -urNp linux-2.6.32.43/drivers/ata/pata_scc.c linux-2.6.32.43/drivers/ata/pata_scc.c
25492 --- linux-2.6.32.43/drivers/ata/pata_scc.c 2011-03-27 14:31:47.000000000 -0400
25493 +++ linux-2.6.32.43/drivers/ata/pata_scc.c 2011-04-17 15:56:46.000000000 -0400
25494 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
25495 ATA_BMDMA_SHT(DRV_NAME),
25498 -static struct ata_port_operations scc_pata_ops = {
25499 +static const struct ata_port_operations scc_pata_ops = {
25500 .inherits = &ata_bmdma_port_ops,
25502 .set_piomode = scc_set_piomode,
25503 diff -urNp linux-2.6.32.43/drivers/ata/pata_sch.c linux-2.6.32.43/drivers/ata/pata_sch.c
25504 --- linux-2.6.32.43/drivers/ata/pata_sch.c 2011-03-27 14:31:47.000000000 -0400
25505 +++ linux-2.6.32.43/drivers/ata/pata_sch.c 2011-04-17 15:56:46.000000000 -0400
25506 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
25507 ATA_BMDMA_SHT(DRV_NAME),
25510 -static struct ata_port_operations sch_pata_ops = {
25511 +static const struct ata_port_operations sch_pata_ops = {
25512 .inherits = &ata_bmdma_port_ops,
25513 .cable_detect = ata_cable_unknown,
25514 .set_piomode = sch_set_piomode,
25515 diff -urNp linux-2.6.32.43/drivers/ata/pata_serverworks.c linux-2.6.32.43/drivers/ata/pata_serverworks.c
25516 --- linux-2.6.32.43/drivers/ata/pata_serverworks.c 2011-03-27 14:31:47.000000000 -0400
25517 +++ linux-2.6.32.43/drivers/ata/pata_serverworks.c 2011-04-17 15:56:46.000000000 -0400
25518 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
25519 ATA_BMDMA_SHT(DRV_NAME),
25522 -static struct ata_port_operations serverworks_osb4_port_ops = {
25523 +static const struct ata_port_operations serverworks_osb4_port_ops = {
25524 .inherits = &ata_bmdma_port_ops,
25525 .cable_detect = serverworks_cable_detect,
25526 .mode_filter = serverworks_osb4_filter,
25527 @@ -307,7 +307,7 @@ static struct ata_port_operations server
25528 .set_dmamode = serverworks_set_dmamode,
25531 -static struct ata_port_operations serverworks_csb_port_ops = {
25532 +static const struct ata_port_operations serverworks_csb_port_ops = {
25533 .inherits = &serverworks_osb4_port_ops,
25534 .mode_filter = serverworks_csb_filter,
25536 diff -urNp linux-2.6.32.43/drivers/ata/pata_sil680.c linux-2.6.32.43/drivers/ata/pata_sil680.c
25537 --- linux-2.6.32.43/drivers/ata/pata_sil680.c 2011-06-25 12:55:34.000000000 -0400
25538 +++ linux-2.6.32.43/drivers/ata/pata_sil680.c 2011-06-25 12:56:37.000000000 -0400
25539 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
25540 ATA_BMDMA_SHT(DRV_NAME),
25543 -static struct ata_port_operations sil680_port_ops = {
25544 +static const struct ata_port_operations sil680_port_ops = {
25545 .inherits = &ata_bmdma32_port_ops,
25546 .cable_detect = sil680_cable_detect,
25547 .set_piomode = sil680_set_piomode,
25548 diff -urNp linux-2.6.32.43/drivers/ata/pata_sis.c linux-2.6.32.43/drivers/ata/pata_sis.c
25549 --- linux-2.6.32.43/drivers/ata/pata_sis.c 2011-03-27 14:31:47.000000000 -0400
25550 +++ linux-2.6.32.43/drivers/ata/pata_sis.c 2011-04-17 15:56:46.000000000 -0400
25551 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
25552 ATA_BMDMA_SHT(DRV_NAME),
25555 -static struct ata_port_operations sis_133_for_sata_ops = {
25556 +static const struct ata_port_operations sis_133_for_sata_ops = {
25557 .inherits = &ata_bmdma_port_ops,
25558 .set_piomode = sis_133_set_piomode,
25559 .set_dmamode = sis_133_set_dmamode,
25560 .cable_detect = sis_133_cable_detect,
25563 -static struct ata_port_operations sis_base_ops = {
25564 +static const struct ata_port_operations sis_base_ops = {
25565 .inherits = &ata_bmdma_port_ops,
25566 .prereset = sis_pre_reset,
25569 -static struct ata_port_operations sis_133_ops = {
25570 +static const struct ata_port_operations sis_133_ops = {
25571 .inherits = &sis_base_ops,
25572 .set_piomode = sis_133_set_piomode,
25573 .set_dmamode = sis_133_set_dmamode,
25574 .cable_detect = sis_133_cable_detect,
25577 -static struct ata_port_operations sis_133_early_ops = {
25578 +static const struct ata_port_operations sis_133_early_ops = {
25579 .inherits = &sis_base_ops,
25580 .set_piomode = sis_100_set_piomode,
25581 .set_dmamode = sis_133_early_set_dmamode,
25582 .cable_detect = sis_66_cable_detect,
25585 -static struct ata_port_operations sis_100_ops = {
25586 +static const struct ata_port_operations sis_100_ops = {
25587 .inherits = &sis_base_ops,
25588 .set_piomode = sis_100_set_piomode,
25589 .set_dmamode = sis_100_set_dmamode,
25590 .cable_detect = sis_66_cable_detect,
25593 -static struct ata_port_operations sis_66_ops = {
25594 +static const struct ata_port_operations sis_66_ops = {
25595 .inherits = &sis_base_ops,
25596 .set_piomode = sis_old_set_piomode,
25597 .set_dmamode = sis_66_set_dmamode,
25598 .cable_detect = sis_66_cable_detect,
25601 -static struct ata_port_operations sis_old_ops = {
25602 +static const struct ata_port_operations sis_old_ops = {
25603 .inherits = &sis_base_ops,
25604 .set_piomode = sis_old_set_piomode,
25605 .set_dmamode = sis_old_set_dmamode,
25606 diff -urNp linux-2.6.32.43/drivers/ata/pata_sl82c105.c linux-2.6.32.43/drivers/ata/pata_sl82c105.c
25607 --- linux-2.6.32.43/drivers/ata/pata_sl82c105.c 2011-03-27 14:31:47.000000000 -0400
25608 +++ linux-2.6.32.43/drivers/ata/pata_sl82c105.c 2011-04-17 15:56:46.000000000 -0400
25609 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
25610 ATA_BMDMA_SHT(DRV_NAME),
25613 -static struct ata_port_operations sl82c105_port_ops = {
25614 +static const struct ata_port_operations sl82c105_port_ops = {
25615 .inherits = &ata_bmdma_port_ops,
25616 .qc_defer = sl82c105_qc_defer,
25617 .bmdma_start = sl82c105_bmdma_start,
25618 diff -urNp linux-2.6.32.43/drivers/ata/pata_triflex.c linux-2.6.32.43/drivers/ata/pata_triflex.c
25619 --- linux-2.6.32.43/drivers/ata/pata_triflex.c 2011-03-27 14:31:47.000000000 -0400
25620 +++ linux-2.6.32.43/drivers/ata/pata_triflex.c 2011-04-17 15:56:46.000000000 -0400
25621 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
25622 ATA_BMDMA_SHT(DRV_NAME),
25625 -static struct ata_port_operations triflex_port_ops = {
25626 +static const struct ata_port_operations triflex_port_ops = {
25627 .inherits = &ata_bmdma_port_ops,
25628 .bmdma_start = triflex_bmdma_start,
25629 .bmdma_stop = triflex_bmdma_stop,
25630 diff -urNp linux-2.6.32.43/drivers/ata/pata_via.c linux-2.6.32.43/drivers/ata/pata_via.c
25631 --- linux-2.6.32.43/drivers/ata/pata_via.c 2011-03-27 14:31:47.000000000 -0400
25632 +++ linux-2.6.32.43/drivers/ata/pata_via.c 2011-04-17 15:56:46.000000000 -0400
25633 @@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
25634 ATA_BMDMA_SHT(DRV_NAME),
25637 -static struct ata_port_operations via_port_ops = {
25638 +static const struct ata_port_operations via_port_ops = {
25639 .inherits = &ata_bmdma_port_ops,
25640 .cable_detect = via_cable_detect,
25641 .set_piomode = via_set_piomode,
25642 @@ -429,7 +429,7 @@ static struct ata_port_operations via_po
25643 .port_start = via_port_start,
25646 -static struct ata_port_operations via_port_ops_noirq = {
25647 +static const struct ata_port_operations via_port_ops_noirq = {
25648 .inherits = &via_port_ops,
25649 .sff_data_xfer = ata_sff_data_xfer_noirq,
25651 diff -urNp linux-2.6.32.43/drivers/ata/pata_winbond.c linux-2.6.32.43/drivers/ata/pata_winbond.c
25652 --- linux-2.6.32.43/drivers/ata/pata_winbond.c 2011-03-27 14:31:47.000000000 -0400
25653 +++ linux-2.6.32.43/drivers/ata/pata_winbond.c 2011-04-17 15:56:46.000000000 -0400
25654 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
25655 ATA_PIO_SHT(DRV_NAME),
25658 -static struct ata_port_operations winbond_port_ops = {
25659 +static const struct ata_port_operations winbond_port_ops = {
25660 .inherits = &ata_sff_port_ops,
25661 .sff_data_xfer = winbond_data_xfer,
25662 .cable_detect = ata_cable_40wire,
25663 diff -urNp linux-2.6.32.43/drivers/ata/pdc_adma.c linux-2.6.32.43/drivers/ata/pdc_adma.c
25664 --- linux-2.6.32.43/drivers/ata/pdc_adma.c 2011-03-27 14:31:47.000000000 -0400
25665 +++ linux-2.6.32.43/drivers/ata/pdc_adma.c 2011-04-17 15:56:46.000000000 -0400
25666 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
25667 .dma_boundary = ADMA_DMA_BOUNDARY,
25670 -static struct ata_port_operations adma_ata_ops = {
25671 +static const struct ata_port_operations adma_ata_ops = {
25672 .inherits = &ata_sff_port_ops,
25674 .lost_interrupt = ATA_OP_NULL,
25675 diff -urNp linux-2.6.32.43/drivers/ata/sata_fsl.c linux-2.6.32.43/drivers/ata/sata_fsl.c
25676 --- linux-2.6.32.43/drivers/ata/sata_fsl.c 2011-03-27 14:31:47.000000000 -0400
25677 +++ linux-2.6.32.43/drivers/ata/sata_fsl.c 2011-04-17 15:56:46.000000000 -0400
25678 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
25679 .dma_boundary = ATA_DMA_BOUNDARY,
25682 -static struct ata_port_operations sata_fsl_ops = {
25683 +static const struct ata_port_operations sata_fsl_ops = {
25684 .inherits = &sata_pmp_port_ops,
25686 .qc_defer = ata_std_qc_defer,
25687 diff -urNp linux-2.6.32.43/drivers/ata/sata_inic162x.c linux-2.6.32.43/drivers/ata/sata_inic162x.c
25688 --- linux-2.6.32.43/drivers/ata/sata_inic162x.c 2011-03-27 14:31:47.000000000 -0400
25689 +++ linux-2.6.32.43/drivers/ata/sata_inic162x.c 2011-04-17 15:56:46.000000000 -0400
25690 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
25694 -static struct ata_port_operations inic_port_ops = {
25695 +static const struct ata_port_operations inic_port_ops = {
25696 .inherits = &sata_port_ops,
25698 .check_atapi_dma = inic_check_atapi_dma,
25699 diff -urNp linux-2.6.32.43/drivers/ata/sata_mv.c linux-2.6.32.43/drivers/ata/sata_mv.c
25700 --- linux-2.6.32.43/drivers/ata/sata_mv.c 2011-03-27 14:31:47.000000000 -0400
25701 +++ linux-2.6.32.43/drivers/ata/sata_mv.c 2011-04-17 15:56:46.000000000 -0400
25702 @@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
25703 .dma_boundary = MV_DMA_BOUNDARY,
25706 -static struct ata_port_operations mv5_ops = {
25707 +static const struct ata_port_operations mv5_ops = {
25708 .inherits = &ata_sff_port_ops,
25710 .lost_interrupt = ATA_OP_NULL,
25711 @@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
25712 .port_stop = mv_port_stop,
25715 -static struct ata_port_operations mv6_ops = {
25716 +static const struct ata_port_operations mv6_ops = {
25717 .inherits = &mv5_ops,
25718 .dev_config = mv6_dev_config,
25719 .scr_read = mv_scr_read,
25720 @@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
25721 .bmdma_status = mv_bmdma_status,
25724 -static struct ata_port_operations mv_iie_ops = {
25725 +static const struct ata_port_operations mv_iie_ops = {
25726 .inherits = &mv6_ops,
25727 .dev_config = ATA_OP_NULL,
25728 .qc_prep = mv_qc_prep_iie,
25729 diff -urNp linux-2.6.32.43/drivers/ata/sata_nv.c linux-2.6.32.43/drivers/ata/sata_nv.c
25730 --- linux-2.6.32.43/drivers/ata/sata_nv.c 2011-03-27 14:31:47.000000000 -0400
25731 +++ linux-2.6.32.43/drivers/ata/sata_nv.c 2011-04-17 15:56:46.000000000 -0400
25732 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
25733 * cases. Define nv_hardreset() which only kicks in for post-boot
25734 * probing and use it for all variants.
25736 -static struct ata_port_operations nv_generic_ops = {
25737 +static const struct ata_port_operations nv_generic_ops = {
25738 .inherits = &ata_bmdma_port_ops,
25739 .lost_interrupt = ATA_OP_NULL,
25740 .scr_read = nv_scr_read,
25741 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
25742 .hardreset = nv_hardreset,
25745 -static struct ata_port_operations nv_nf2_ops = {
25746 +static const struct ata_port_operations nv_nf2_ops = {
25747 .inherits = &nv_generic_ops,
25748 .freeze = nv_nf2_freeze,
25749 .thaw = nv_nf2_thaw,
25752 -static struct ata_port_operations nv_ck804_ops = {
25753 +static const struct ata_port_operations nv_ck804_ops = {
25754 .inherits = &nv_generic_ops,
25755 .freeze = nv_ck804_freeze,
25756 .thaw = nv_ck804_thaw,
25757 .host_stop = nv_ck804_host_stop,
25760 -static struct ata_port_operations nv_adma_ops = {
25761 +static const struct ata_port_operations nv_adma_ops = {
25762 .inherits = &nv_ck804_ops,
25764 .check_atapi_dma = nv_adma_check_atapi_dma,
25765 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
25766 .host_stop = nv_adma_host_stop,
25769 -static struct ata_port_operations nv_swncq_ops = {
25770 +static const struct ata_port_operations nv_swncq_ops = {
25771 .inherits = &nv_generic_ops,
25773 .qc_defer = ata_std_qc_defer,
25774 diff -urNp linux-2.6.32.43/drivers/ata/sata_promise.c linux-2.6.32.43/drivers/ata/sata_promise.c
25775 --- linux-2.6.32.43/drivers/ata/sata_promise.c 2011-03-27 14:31:47.000000000 -0400
25776 +++ linux-2.6.32.43/drivers/ata/sata_promise.c 2011-04-17 15:56:46.000000000 -0400
25777 @@ -195,7 +195,7 @@ static const struct ata_port_operations
25778 .error_handler = pdc_error_handler,
25781 -static struct ata_port_operations pdc_sata_ops = {
25782 +static const struct ata_port_operations pdc_sata_ops = {
25783 .inherits = &pdc_common_ops,
25784 .cable_detect = pdc_sata_cable_detect,
25785 .freeze = pdc_sata_freeze,
25786 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
25788 /* First-generation chips need a more restrictive ->check_atapi_dma op,
25789 and ->freeze/thaw that ignore the hotplug controls. */
25790 -static struct ata_port_operations pdc_old_sata_ops = {
25791 +static const struct ata_port_operations pdc_old_sata_ops = {
25792 .inherits = &pdc_sata_ops,
25793 .freeze = pdc_freeze,
25795 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
25798 -static struct ata_port_operations pdc_pata_ops = {
25799 +static const struct ata_port_operations pdc_pata_ops = {
25800 .inherits = &pdc_common_ops,
25801 .cable_detect = pdc_pata_cable_detect,
25802 .freeze = pdc_freeze,
25803 diff -urNp linux-2.6.32.43/drivers/ata/sata_qstor.c linux-2.6.32.43/drivers/ata/sata_qstor.c
25804 --- linux-2.6.32.43/drivers/ata/sata_qstor.c 2011-03-27 14:31:47.000000000 -0400
25805 +++ linux-2.6.32.43/drivers/ata/sata_qstor.c 2011-04-17 15:56:46.000000000 -0400
25806 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
25807 .dma_boundary = QS_DMA_BOUNDARY,
25810 -static struct ata_port_operations qs_ata_ops = {
25811 +static const struct ata_port_operations qs_ata_ops = {
25812 .inherits = &ata_sff_port_ops,
25814 .check_atapi_dma = qs_check_atapi_dma,
25815 diff -urNp linux-2.6.32.43/drivers/ata/sata_sil24.c linux-2.6.32.43/drivers/ata/sata_sil24.c
25816 --- linux-2.6.32.43/drivers/ata/sata_sil24.c 2011-03-27 14:31:47.000000000 -0400
25817 +++ linux-2.6.32.43/drivers/ata/sata_sil24.c 2011-04-17 15:56:46.000000000 -0400
25818 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
25819 .dma_boundary = ATA_DMA_BOUNDARY,
25822 -static struct ata_port_operations sil24_ops = {
25823 +static const struct ata_port_operations sil24_ops = {
25824 .inherits = &sata_pmp_port_ops,
25826 .qc_defer = sil24_qc_defer,
25827 diff -urNp linux-2.6.32.43/drivers/ata/sata_sil.c linux-2.6.32.43/drivers/ata/sata_sil.c
25828 --- linux-2.6.32.43/drivers/ata/sata_sil.c 2011-03-27 14:31:47.000000000 -0400
25829 +++ linux-2.6.32.43/drivers/ata/sata_sil.c 2011-04-17 15:56:46.000000000 -0400
25830 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
25831 .sg_tablesize = ATA_MAX_PRD
25834 -static struct ata_port_operations sil_ops = {
25835 +static const struct ata_port_operations sil_ops = {
25836 .inherits = &ata_bmdma32_port_ops,
25837 .dev_config = sil_dev_config,
25838 .set_mode = sil_set_mode,
25839 diff -urNp linux-2.6.32.43/drivers/ata/sata_sis.c linux-2.6.32.43/drivers/ata/sata_sis.c
25840 --- linux-2.6.32.43/drivers/ata/sata_sis.c 2011-03-27 14:31:47.000000000 -0400
25841 +++ linux-2.6.32.43/drivers/ata/sata_sis.c 2011-04-17 15:56:46.000000000 -0400
25842 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
25843 ATA_BMDMA_SHT(DRV_NAME),
25846 -static struct ata_port_operations sis_ops = {
25847 +static const struct ata_port_operations sis_ops = {
25848 .inherits = &ata_bmdma_port_ops,
25849 .scr_read = sis_scr_read,
25850 .scr_write = sis_scr_write,
25851 diff -urNp linux-2.6.32.43/drivers/ata/sata_svw.c linux-2.6.32.43/drivers/ata/sata_svw.c
25852 --- linux-2.6.32.43/drivers/ata/sata_svw.c 2011-03-27 14:31:47.000000000 -0400
25853 +++ linux-2.6.32.43/drivers/ata/sata_svw.c 2011-04-17 15:56:46.000000000 -0400
25854 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
25858 -static struct ata_port_operations k2_sata_ops = {
25859 +static const struct ata_port_operations k2_sata_ops = {
25860 .inherits = &ata_bmdma_port_ops,
25861 .sff_tf_load = k2_sata_tf_load,
25862 .sff_tf_read = k2_sata_tf_read,
25863 diff -urNp linux-2.6.32.43/drivers/ata/sata_sx4.c linux-2.6.32.43/drivers/ata/sata_sx4.c
25864 --- linux-2.6.32.43/drivers/ata/sata_sx4.c 2011-03-27 14:31:47.000000000 -0400
25865 +++ linux-2.6.32.43/drivers/ata/sata_sx4.c 2011-04-17 15:56:46.000000000 -0400
25866 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
25869 /* TODO: inherit from base port_ops after converting to new EH */
25870 -static struct ata_port_operations pdc_20621_ops = {
25871 +static const struct ata_port_operations pdc_20621_ops = {
25872 .inherits = &ata_sff_port_ops,
25874 .check_atapi_dma = pdc_check_atapi_dma,
25875 diff -urNp linux-2.6.32.43/drivers/ata/sata_uli.c linux-2.6.32.43/drivers/ata/sata_uli.c
25876 --- linux-2.6.32.43/drivers/ata/sata_uli.c 2011-03-27 14:31:47.000000000 -0400
25877 +++ linux-2.6.32.43/drivers/ata/sata_uli.c 2011-04-17 15:56:46.000000000 -0400
25878 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
25879 ATA_BMDMA_SHT(DRV_NAME),
25882 -static struct ata_port_operations uli_ops = {
25883 +static const struct ata_port_operations uli_ops = {
25884 .inherits = &ata_bmdma_port_ops,
25885 .scr_read = uli_scr_read,
25886 .scr_write = uli_scr_write,
25887 diff -urNp linux-2.6.32.43/drivers/ata/sata_via.c linux-2.6.32.43/drivers/ata/sata_via.c
25888 --- linux-2.6.32.43/drivers/ata/sata_via.c 2011-05-10 22:12:01.000000000 -0400
25889 +++ linux-2.6.32.43/drivers/ata/sata_via.c 2011-05-10 22:15:08.000000000 -0400
25890 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
25891 ATA_BMDMA_SHT(DRV_NAME),
25894 -static struct ata_port_operations svia_base_ops = {
25895 +static const struct ata_port_operations svia_base_ops = {
25896 .inherits = &ata_bmdma_port_ops,
25897 .sff_tf_load = svia_tf_load,
25900 -static struct ata_port_operations vt6420_sata_ops = {
25901 +static const struct ata_port_operations vt6420_sata_ops = {
25902 .inherits = &svia_base_ops,
25903 .freeze = svia_noop_freeze,
25904 .prereset = vt6420_prereset,
25905 .bmdma_start = vt6420_bmdma_start,
25908 -static struct ata_port_operations vt6421_pata_ops = {
25909 +static const struct ata_port_operations vt6421_pata_ops = {
25910 .inherits = &svia_base_ops,
25911 .cable_detect = vt6421_pata_cable_detect,
25912 .set_piomode = vt6421_set_pio_mode,
25913 .set_dmamode = vt6421_set_dma_mode,
25916 -static struct ata_port_operations vt6421_sata_ops = {
25917 +static const struct ata_port_operations vt6421_sata_ops = {
25918 .inherits = &svia_base_ops,
25919 .scr_read = svia_scr_read,
25920 .scr_write = svia_scr_write,
25923 -static struct ata_port_operations vt8251_ops = {
25924 +static const struct ata_port_operations vt8251_ops = {
25925 .inherits = &svia_base_ops,
25926 .hardreset = sata_std_hardreset,
25927 .scr_read = vt8251_scr_read,
25928 diff -urNp linux-2.6.32.43/drivers/ata/sata_vsc.c linux-2.6.32.43/drivers/ata/sata_vsc.c
25929 --- linux-2.6.32.43/drivers/ata/sata_vsc.c 2011-03-27 14:31:47.000000000 -0400
25930 +++ linux-2.6.32.43/drivers/ata/sata_vsc.c 2011-04-17 15:56:46.000000000 -0400
25931 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
25935 -static struct ata_port_operations vsc_sata_ops = {
25936 +static const struct ata_port_operations vsc_sata_ops = {
25937 .inherits = &ata_bmdma_port_ops,
25938 /* The IRQ handling is not quite standard SFF behaviour so we
25939 cannot use the default lost interrupt handler */
25940 diff -urNp linux-2.6.32.43/drivers/atm/adummy.c linux-2.6.32.43/drivers/atm/adummy.c
25941 --- linux-2.6.32.43/drivers/atm/adummy.c 2011-03-27 14:31:47.000000000 -0400
25942 +++ linux-2.6.32.43/drivers/atm/adummy.c 2011-04-17 15:56:46.000000000 -0400
25943 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
25944 vcc->pop(vcc, skb);
25946 dev_kfree_skb_any(skb);
25947 - atomic_inc(&vcc->stats->tx);
25948 + atomic_inc_unchecked(&vcc->stats->tx);
25952 diff -urNp linux-2.6.32.43/drivers/atm/ambassador.c linux-2.6.32.43/drivers/atm/ambassador.c
25953 --- linux-2.6.32.43/drivers/atm/ambassador.c 2011-03-27 14:31:47.000000000 -0400
25954 +++ linux-2.6.32.43/drivers/atm/ambassador.c 2011-04-17 15:56:46.000000000 -0400
25955 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
25956 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
25959 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
25960 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
25962 // free the descriptor
25964 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
25965 dump_skb ("<<<", vc, skb);
25968 - atomic_inc(&atm_vcc->stats->rx);
25969 + atomic_inc_unchecked(&atm_vcc->stats->rx);
25970 __net_timestamp(skb);
25971 // end of our responsability
25972 atm_vcc->push (atm_vcc, skb);
25973 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
25975 PRINTK (KERN_INFO, "dropped over-size frame");
25976 // should we count this?
25977 - atomic_inc(&atm_vcc->stats->rx_drop);
25978 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
25982 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
25985 if (check_area (skb->data, skb->len)) {
25986 - atomic_inc(&atm_vcc->stats->tx_err);
25987 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
25988 return -ENOMEM; // ?
25991 diff -urNp linux-2.6.32.43/drivers/atm/atmtcp.c linux-2.6.32.43/drivers/atm/atmtcp.c
25992 --- linux-2.6.32.43/drivers/atm/atmtcp.c 2011-03-27 14:31:47.000000000 -0400
25993 +++ linux-2.6.32.43/drivers/atm/atmtcp.c 2011-04-17 15:56:46.000000000 -0400
25994 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
25995 if (vcc->pop) vcc->pop(vcc,skb);
25996 else dev_kfree_skb(skb);
25997 if (dev_data) return 0;
25998 - atomic_inc(&vcc->stats->tx_err);
25999 + atomic_inc_unchecked(&vcc->stats->tx_err);
26002 size = skb->len+sizeof(struct atmtcp_hdr);
26003 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
26005 if (vcc->pop) vcc->pop(vcc,skb);
26006 else dev_kfree_skb(skb);
26007 - atomic_inc(&vcc->stats->tx_err);
26008 + atomic_inc_unchecked(&vcc->stats->tx_err);
26011 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26012 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
26013 if (vcc->pop) vcc->pop(vcc,skb);
26014 else dev_kfree_skb(skb);
26015 out_vcc->push(out_vcc,new_skb);
26016 - atomic_inc(&vcc->stats->tx);
26017 - atomic_inc(&out_vcc->stats->rx);
26018 + atomic_inc_unchecked(&vcc->stats->tx);
26019 + atomic_inc_unchecked(&out_vcc->stats->rx);
26023 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
26024 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26025 read_unlock(&vcc_sklist_lock);
26027 - atomic_inc(&vcc->stats->tx_err);
26028 + atomic_inc_unchecked(&vcc->stats->tx_err);
26031 skb_pull(skb,sizeof(struct atmtcp_hdr));
26032 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
26033 __net_timestamp(new_skb);
26034 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26035 out_vcc->push(out_vcc,new_skb);
26036 - atomic_inc(&vcc->stats->tx);
26037 - atomic_inc(&out_vcc->stats->rx);
26038 + atomic_inc_unchecked(&vcc->stats->tx);
26039 + atomic_inc_unchecked(&out_vcc->stats->rx);
26041 if (vcc->pop) vcc->pop(vcc,skb);
26042 else dev_kfree_skb(skb);
26043 diff -urNp linux-2.6.32.43/drivers/atm/eni.c linux-2.6.32.43/drivers/atm/eni.c
26044 --- linux-2.6.32.43/drivers/atm/eni.c 2011-03-27 14:31:47.000000000 -0400
26045 +++ linux-2.6.32.43/drivers/atm/eni.c 2011-04-17 15:56:46.000000000 -0400
26046 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26047 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26050 - atomic_inc(&vcc->stats->rx_err);
26051 + atomic_inc_unchecked(&vcc->stats->rx_err);
26054 length = ATM_CELL_SIZE-1; /* no HEC */
26055 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26059 - atomic_inc(&vcc->stats->rx_err);
26060 + atomic_inc_unchecked(&vcc->stats->rx_err);
26063 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26064 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26065 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26066 vcc->dev->number,vcc->vci,length,size << 2,descr);
26068 - atomic_inc(&vcc->stats->rx_err);
26069 + atomic_inc_unchecked(&vcc->stats->rx_err);
26072 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26073 @@ -770,7 +770,7 @@ rx_dequeued++;
26074 vcc->push(vcc,skb);
26077 - atomic_inc(&vcc->stats->rx);
26078 + atomic_inc_unchecked(&vcc->stats->rx);
26080 wake_up(&eni_dev->rx_wait);
26082 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
26084 if (vcc->pop) vcc->pop(vcc,skb);
26085 else dev_kfree_skb_irq(skb);
26086 - atomic_inc(&vcc->stats->tx);
26087 + atomic_inc_unchecked(&vcc->stats->tx);
26088 wake_up(&eni_dev->tx_wait);
26091 diff -urNp linux-2.6.32.43/drivers/atm/firestream.c linux-2.6.32.43/drivers/atm/firestream.c
26092 --- linux-2.6.32.43/drivers/atm/firestream.c 2011-03-27 14:31:47.000000000 -0400
26093 +++ linux-2.6.32.43/drivers/atm/firestream.c 2011-04-17 15:56:46.000000000 -0400
26094 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
26098 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26099 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26101 fs_dprintk (FS_DEBUG_TXMEM, "i");
26102 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
26103 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
26105 skb_put (skb, qe->p1 & 0xffff);
26106 ATM_SKB(skb)->vcc = atm_vcc;
26107 - atomic_inc(&atm_vcc->stats->rx);
26108 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26109 __net_timestamp(skb);
26110 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
26111 atm_vcc->push (atm_vcc, skb);
26112 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
26116 - atomic_inc(&atm_vcc->stats->rx_drop);
26117 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26119 case 0x1f: /* Reassembly abort: no buffers. */
26120 /* Silently increment error counter. */
26122 - atomic_inc(&atm_vcc->stats->rx_drop);
26123 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26125 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
26126 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
26127 diff -urNp linux-2.6.32.43/drivers/atm/fore200e.c linux-2.6.32.43/drivers/atm/fore200e.c
26128 --- linux-2.6.32.43/drivers/atm/fore200e.c 2011-03-27 14:31:47.000000000 -0400
26129 +++ linux-2.6.32.43/drivers/atm/fore200e.c 2011-04-17 15:56:46.000000000 -0400
26130 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
26132 /* check error condition */
26133 if (*entry->status & STATUS_ERROR)
26134 - atomic_inc(&vcc->stats->tx_err);
26135 + atomic_inc_unchecked(&vcc->stats->tx_err);
26137 - atomic_inc(&vcc->stats->tx);
26138 + atomic_inc_unchecked(&vcc->stats->tx);
26142 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
26144 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
26146 - atomic_inc(&vcc->stats->rx_drop);
26147 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26151 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
26153 dev_kfree_skb_any(skb);
26155 - atomic_inc(&vcc->stats->rx_drop);
26156 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26160 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26162 vcc->push(vcc, skb);
26163 - atomic_inc(&vcc->stats->rx);
26164 + atomic_inc_unchecked(&vcc->stats->rx);
26166 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26168 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
26169 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
26170 fore200e->atm_dev->number,
26171 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
26172 - atomic_inc(&vcc->stats->rx_err);
26173 + atomic_inc_unchecked(&vcc->stats->rx_err);
26177 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
26181 - atomic_inc(&vcc->stats->tx_err);
26182 + atomic_inc_unchecked(&vcc->stats->tx_err);
26184 fore200e->tx_sat++;
26185 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
26186 diff -urNp linux-2.6.32.43/drivers/atm/he.c linux-2.6.32.43/drivers/atm/he.c
26187 --- linux-2.6.32.43/drivers/atm/he.c 2011-03-27 14:31:47.000000000 -0400
26188 +++ linux-2.6.32.43/drivers/atm/he.c 2011-04-17 15:56:46.000000000 -0400
26189 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26191 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
26192 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
26193 - atomic_inc(&vcc->stats->rx_drop);
26194 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26195 goto return_host_buffers;
26198 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26199 RBRQ_LEN_ERR(he_dev->rbrq_head)
26201 vcc->vpi, vcc->vci);
26202 - atomic_inc(&vcc->stats->rx_err);
26203 + atomic_inc_unchecked(&vcc->stats->rx_err);
26204 goto return_host_buffers;
26207 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26208 vcc->push(vcc, skb);
26209 spin_lock(&he_dev->global_lock);
26211 - atomic_inc(&vcc->stats->rx);
26212 + atomic_inc_unchecked(&vcc->stats->rx);
26214 return_host_buffers:
26216 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
26217 tpd->vcc->pop(tpd->vcc, tpd->skb);
26219 dev_kfree_skb_any(tpd->skb);
26220 - atomic_inc(&tpd->vcc->stats->tx_err);
26221 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
26223 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
26225 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26226 vcc->pop(vcc, skb);
26228 dev_kfree_skb_any(skb);
26229 - atomic_inc(&vcc->stats->tx_err);
26230 + atomic_inc_unchecked(&vcc->stats->tx_err);
26234 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26235 vcc->pop(vcc, skb);
26237 dev_kfree_skb_any(skb);
26238 - atomic_inc(&vcc->stats->tx_err);
26239 + atomic_inc_unchecked(&vcc->stats->tx_err);
26243 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26244 vcc->pop(vcc, skb);
26246 dev_kfree_skb_any(skb);
26247 - atomic_inc(&vcc->stats->tx_err);
26248 + atomic_inc_unchecked(&vcc->stats->tx_err);
26249 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26252 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26253 vcc->pop(vcc, skb);
26255 dev_kfree_skb_any(skb);
26256 - atomic_inc(&vcc->stats->tx_err);
26257 + atomic_inc_unchecked(&vcc->stats->tx_err);
26258 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26261 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26262 __enqueue_tpd(he_dev, tpd, cid);
26263 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26265 - atomic_inc(&vcc->stats->tx);
26266 + atomic_inc_unchecked(&vcc->stats->tx);
26270 diff -urNp linux-2.6.32.43/drivers/atm/horizon.c linux-2.6.32.43/drivers/atm/horizon.c
26271 --- linux-2.6.32.43/drivers/atm/horizon.c 2011-03-27 14:31:47.000000000 -0400
26272 +++ linux-2.6.32.43/drivers/atm/horizon.c 2011-04-17 15:56:46.000000000 -0400
26273 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
26275 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
26277 - atomic_inc(&vcc->stats->rx);
26278 + atomic_inc_unchecked(&vcc->stats->rx);
26279 __net_timestamp(skb);
26280 // end of our responsability
26281 vcc->push (vcc, skb);
26282 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
26283 dev->tx_iovec = NULL;
26286 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26287 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26290 hrz_kfree_skb (skb);
26291 diff -urNp linux-2.6.32.43/drivers/atm/idt77252.c linux-2.6.32.43/drivers/atm/idt77252.c
26292 --- linux-2.6.32.43/drivers/atm/idt77252.c 2011-03-27 14:31:47.000000000 -0400
26293 +++ linux-2.6.32.43/drivers/atm/idt77252.c 2011-04-17 15:56:46.000000000 -0400
26294 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
26296 dev_kfree_skb(skb);
26298 - atomic_inc(&vcc->stats->tx);
26299 + atomic_inc_unchecked(&vcc->stats->tx);
26302 atomic_dec(&scq->used);
26303 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
26304 if ((sb = dev_alloc_skb(64)) == NULL) {
26305 printk("%s: Can't allocate buffers for aal0.\n",
26307 - atomic_add(i, &vcc->stats->rx_drop);
26308 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
26311 if (!atm_charge(vcc, sb->truesize)) {
26312 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
26314 - atomic_add(i - 1, &vcc->stats->rx_drop);
26315 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
26319 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
26320 ATM_SKB(sb)->vcc = vcc;
26321 __net_timestamp(sb);
26322 vcc->push(vcc, sb);
26323 - atomic_inc(&vcc->stats->rx);
26324 + atomic_inc_unchecked(&vcc->stats->rx);
26326 cell += ATM_CELL_PAYLOAD;
26328 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
26330 card->name, len, rpp->len, readl(SAR_REG_CDC));
26331 recycle_rx_pool_skb(card, rpp);
26332 - atomic_inc(&vcc->stats->rx_err);
26333 + atomic_inc_unchecked(&vcc->stats->rx_err);
26336 if (stat & SAR_RSQE_CRC) {
26337 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
26338 recycle_rx_pool_skb(card, rpp);
26339 - atomic_inc(&vcc->stats->rx_err);
26340 + atomic_inc_unchecked(&vcc->stats->rx_err);
26343 if (skb_queue_len(&rpp->queue) > 1) {
26344 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
26345 RXPRINTK("%s: Can't alloc RX skb.\n",
26347 recycle_rx_pool_skb(card, rpp);
26348 - atomic_inc(&vcc->stats->rx_err);
26349 + atomic_inc_unchecked(&vcc->stats->rx_err);
26352 if (!atm_charge(vcc, skb->truesize)) {
26353 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
26354 __net_timestamp(skb);
26356 vcc->push(vcc, skb);
26357 - atomic_inc(&vcc->stats->rx);
26358 + atomic_inc_unchecked(&vcc->stats->rx);
26362 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
26363 __net_timestamp(skb);
26365 vcc->push(vcc, skb);
26366 - atomic_inc(&vcc->stats->rx);
26367 + atomic_inc_unchecked(&vcc->stats->rx);
26369 if (skb->truesize > SAR_FB_SIZE_3)
26370 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
26371 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
26372 if (vcc->qos.aal != ATM_AAL0) {
26373 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
26374 card->name, vpi, vci);
26375 - atomic_inc(&vcc->stats->rx_drop);
26376 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26380 if ((sb = dev_alloc_skb(64)) == NULL) {
26381 printk("%s: Can't allocate buffers for AAL0.\n",
26383 - atomic_inc(&vcc->stats->rx_err);
26384 + atomic_inc_unchecked(&vcc->stats->rx_err);
26388 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
26389 ATM_SKB(sb)->vcc = vcc;
26390 __net_timestamp(sb);
26391 vcc->push(vcc, sb);
26392 - atomic_inc(&vcc->stats->rx);
26393 + atomic_inc_unchecked(&vcc->stats->rx);
26396 skb_pull(queue, 64);
26397 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26400 printk("%s: NULL connection in send().\n", card->name);
26401 - atomic_inc(&vcc->stats->tx_err);
26402 + atomic_inc_unchecked(&vcc->stats->tx_err);
26403 dev_kfree_skb(skb);
26406 if (!test_bit(VCF_TX, &vc->flags)) {
26407 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
26408 - atomic_inc(&vcc->stats->tx_err);
26409 + atomic_inc_unchecked(&vcc->stats->tx_err);
26410 dev_kfree_skb(skb);
26413 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26416 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
26417 - atomic_inc(&vcc->stats->tx_err);
26418 + atomic_inc_unchecked(&vcc->stats->tx_err);
26419 dev_kfree_skb(skb);
26423 if (skb_shinfo(skb)->nr_frags != 0) {
26424 printk("%s: No scatter-gather yet.\n", card->name);
26425 - atomic_inc(&vcc->stats->tx_err);
26426 + atomic_inc_unchecked(&vcc->stats->tx_err);
26427 dev_kfree_skb(skb);
26430 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26432 err = queue_skb(card, vc, skb, oam);
26434 - atomic_inc(&vcc->stats->tx_err);
26435 + atomic_inc_unchecked(&vcc->stats->tx_err);
26436 dev_kfree_skb(skb);
26439 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
26440 skb = dev_alloc_skb(64);
26442 printk("%s: Out of memory in send_oam().\n", card->name);
26443 - atomic_inc(&vcc->stats->tx_err);
26444 + atomic_inc_unchecked(&vcc->stats->tx_err);
26447 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
26448 diff -urNp linux-2.6.32.43/drivers/atm/iphase.c linux-2.6.32.43/drivers/atm/iphase.c
26449 --- linux-2.6.32.43/drivers/atm/iphase.c 2011-03-27 14:31:47.000000000 -0400
26450 +++ linux-2.6.32.43/drivers/atm/iphase.c 2011-04-17 15:56:46.000000000 -0400
26451 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
26452 status = (u_short) (buf_desc_ptr->desc_mode);
26453 if (status & (RX_CER | RX_PTE | RX_OFL))
26455 - atomic_inc(&vcc->stats->rx_err);
26456 + atomic_inc_unchecked(&vcc->stats->rx_err);
26457 IF_ERR(printk("IA: bad packet, dropping it");)
26458 if (status & RX_CER) {
26459 IF_ERR(printk(" cause: packet CRC error\n");)
26460 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
26461 len = dma_addr - buf_addr;
26462 if (len > iadev->rx_buf_sz) {
26463 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
26464 - atomic_inc(&vcc->stats->rx_err);
26465 + atomic_inc_unchecked(&vcc->stats->rx_err);
26466 goto out_free_desc;
26469 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
26470 ia_vcc = INPH_IA_VCC(vcc);
26471 if (ia_vcc == NULL)
26473 - atomic_inc(&vcc->stats->rx_err);
26474 + atomic_inc_unchecked(&vcc->stats->rx_err);
26475 dev_kfree_skb_any(skb);
26476 atm_return(vcc, atm_guess_pdu2truesize(len));
26478 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
26479 if ((length > iadev->rx_buf_sz) || (length >
26480 (skb->len - sizeof(struct cpcs_trailer))))
26482 - atomic_inc(&vcc->stats->rx_err);
26483 + atomic_inc_unchecked(&vcc->stats->rx_err);
26484 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
26485 length, skb->len);)
26486 dev_kfree_skb_any(skb);
26487 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
26489 IF_RX(printk("rx_dle_intr: skb push");)
26490 vcc->push(vcc,skb);
26491 - atomic_inc(&vcc->stats->rx);
26492 + atomic_inc_unchecked(&vcc->stats->rx);
26493 iadev->rx_pkt_cnt++;
26496 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
26498 struct k_sonet_stats *stats;
26499 stats = &PRIV(_ia_dev[board])->sonet_stats;
26500 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
26501 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
26502 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
26503 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
26504 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
26505 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
26506 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
26507 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
26508 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
26509 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
26510 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
26511 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
26512 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
26513 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
26514 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
26515 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
26516 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
26517 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
26519 ia_cmds.status = 0;
26521 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
26522 if ((desc == 0) || (desc > iadev->num_tx_desc))
26524 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
26525 - atomic_inc(&vcc->stats->tx);
26526 + atomic_inc_unchecked(&vcc->stats->tx);
26528 vcc->pop(vcc, skb);
26530 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
26531 ATM_DESC(skb) = vcc->vci;
26532 skb_queue_tail(&iadev->tx_dma_q, skb);
26534 - atomic_inc(&vcc->stats->tx);
26535 + atomic_inc_unchecked(&vcc->stats->tx);
26536 iadev->tx_pkt_cnt++;
26537 /* Increment transaction counter */
26538 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
26541 /* add flow control logic */
26542 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
26543 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
26544 if (iavcc->vc_desc_cnt > 10) {
26545 vcc->tx_quota = vcc->tx_quota * 3 / 4;
26546 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
26547 diff -urNp linux-2.6.32.43/drivers/atm/lanai.c linux-2.6.32.43/drivers/atm/lanai.c
26548 --- linux-2.6.32.43/drivers/atm/lanai.c 2011-03-27 14:31:47.000000000 -0400
26549 +++ linux-2.6.32.43/drivers/atm/lanai.c 2011-04-17 15:56:46.000000000 -0400
26550 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
26551 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
26552 lanai_endtx(lanai, lvcc);
26553 lanai_free_skb(lvcc->tx.atmvcc, skb);
26554 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
26555 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
26558 /* Try to fill the buffer - don't call unless there is backlog */
26559 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
26560 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
26561 __net_timestamp(skb);
26562 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
26563 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
26564 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
26566 lvcc->rx.buf.ptr = end;
26567 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
26568 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
26569 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
26570 "vcc %d\n", lanai->number, (unsigned int) s, vci);
26571 lanai->stats.service_rxnotaal5++;
26572 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26573 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26576 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
26577 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
26579 read_unlock(&vcc_sklist_lock);
26580 DPRINTK("got trashed rx pdu on vci %d\n", vci);
26581 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26582 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26583 lvcc->stats.x.aal5.service_trash++;
26584 bytes = (SERVICE_GET_END(s) * 16) -
26585 (((unsigned long) lvcc->rx.buf.ptr) -
26586 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
26588 if (s & SERVICE_STREAM) {
26589 read_unlock(&vcc_sklist_lock);
26590 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26591 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26592 lvcc->stats.x.aal5.service_stream++;
26593 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
26594 "PDU on VCI %d!\n", lanai->number, vci);
26595 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
26598 DPRINTK("got rx crc error on vci %d\n", vci);
26599 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26600 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26601 lvcc->stats.x.aal5.service_rxcrc++;
26602 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
26603 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
26604 diff -urNp linux-2.6.32.43/drivers/atm/nicstar.c linux-2.6.32.43/drivers/atm/nicstar.c
26605 --- linux-2.6.32.43/drivers/atm/nicstar.c 2011-03-27 14:31:47.000000000 -0400
26606 +++ linux-2.6.32.43/drivers/atm/nicstar.c 2011-04-17 15:56:46.000000000 -0400
26607 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
26608 if ((vc = (vc_map *) vcc->dev_data) == NULL)
26610 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
26611 - atomic_inc(&vcc->stats->tx_err);
26612 + atomic_inc_unchecked(&vcc->stats->tx_err);
26613 dev_kfree_skb_any(skb);
26616 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
26619 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
26620 - atomic_inc(&vcc->stats->tx_err);
26621 + atomic_inc_unchecked(&vcc->stats->tx_err);
26622 dev_kfree_skb_any(skb);
26625 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
26626 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
26628 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
26629 - atomic_inc(&vcc->stats->tx_err);
26630 + atomic_inc_unchecked(&vcc->stats->tx_err);
26631 dev_kfree_skb_any(skb);
26634 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
26635 if (skb_shinfo(skb)->nr_frags != 0)
26637 printk("nicstar%d: No scatter-gather yet.\n", card->index);
26638 - atomic_inc(&vcc->stats->tx_err);
26639 + atomic_inc_unchecked(&vcc->stats->tx_err);
26640 dev_kfree_skb_any(skb);
26643 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
26645 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
26647 - atomic_inc(&vcc->stats->tx_err);
26648 + atomic_inc_unchecked(&vcc->stats->tx_err);
26649 dev_kfree_skb_any(skb);
26652 - atomic_inc(&vcc->stats->tx);
26653 + atomic_inc_unchecked(&vcc->stats->tx);
26657 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
26659 printk("nicstar%d: Can't allocate buffers for aal0.\n",
26661 - atomic_add(i,&vcc->stats->rx_drop);
26662 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
26665 if (!atm_charge(vcc, sb->truesize))
26667 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
26669 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
26670 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
26671 dev_kfree_skb_any(sb);
26674 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
26675 ATM_SKB(sb)->vcc = vcc;
26676 __net_timestamp(sb);
26677 vcc->push(vcc, sb);
26678 - atomic_inc(&vcc->stats->rx);
26679 + atomic_inc_unchecked(&vcc->stats->rx);
26680 cell += ATM_CELL_PAYLOAD;
26683 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
26686 printk("nicstar%d: Out of iovec buffers.\n", card->index);
26687 - atomic_inc(&vcc->stats->rx_drop);
26688 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26689 recycle_rx_buf(card, skb);
26692 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
26693 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
26695 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
26696 - atomic_inc(&vcc->stats->rx_err);
26697 + atomic_inc_unchecked(&vcc->stats->rx_err);
26698 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
26699 NS_SKB(iovb)->iovcnt = 0;
26701 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
26702 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
26704 which_list(card, skb);
26705 - atomic_inc(&vcc->stats->rx_err);
26706 + atomic_inc_unchecked(&vcc->stats->rx_err);
26707 recycle_rx_buf(card, skb);
26709 recycle_iov_buf(card, iovb);
26710 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
26711 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
26713 which_list(card, skb);
26714 - atomic_inc(&vcc->stats->rx_err);
26715 + atomic_inc_unchecked(&vcc->stats->rx_err);
26716 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
26717 NS_SKB(iovb)->iovcnt);
26719 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
26720 printk(" - PDU size mismatch.\n");
26723 - atomic_inc(&vcc->stats->rx_err);
26724 + atomic_inc_unchecked(&vcc->stats->rx_err);
26725 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
26726 NS_SKB(iovb)->iovcnt);
26728 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
26729 if (!atm_charge(vcc, skb->truesize))
26731 push_rxbufs(card, skb);
26732 - atomic_inc(&vcc->stats->rx_drop);
26733 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26737 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
26738 ATM_SKB(skb)->vcc = vcc;
26739 __net_timestamp(skb);
26740 vcc->push(vcc, skb);
26741 - atomic_inc(&vcc->stats->rx);
26742 + atomic_inc_unchecked(&vcc->stats->rx);
26745 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
26746 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
26747 if (!atm_charge(vcc, sb->truesize))
26749 push_rxbufs(card, sb);
26750 - atomic_inc(&vcc->stats->rx_drop);
26751 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26755 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
26756 ATM_SKB(sb)->vcc = vcc;
26757 __net_timestamp(sb);
26758 vcc->push(vcc, sb);
26759 - atomic_inc(&vcc->stats->rx);
26760 + atomic_inc_unchecked(&vcc->stats->rx);
26763 push_rxbufs(card, skb);
26764 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
26765 if (!atm_charge(vcc, skb->truesize))
26767 push_rxbufs(card, skb);
26768 - atomic_inc(&vcc->stats->rx_drop);
26769 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26773 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
26774 ATM_SKB(skb)->vcc = vcc;
26775 __net_timestamp(skb);
26776 vcc->push(vcc, skb);
26777 - atomic_inc(&vcc->stats->rx);
26778 + atomic_inc_unchecked(&vcc->stats->rx);
26781 push_rxbufs(card, sb);
26782 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
26785 printk("nicstar%d: Out of huge buffers.\n", card->index);
26786 - atomic_inc(&vcc->stats->rx_drop);
26787 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26788 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
26789 NS_SKB(iovb)->iovcnt);
26791 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
26794 dev_kfree_skb_any(hb);
26795 - atomic_inc(&vcc->stats->rx_drop);
26796 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26800 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
26801 #endif /* NS_USE_DESTRUCTORS */
26802 __net_timestamp(hb);
26803 vcc->push(vcc, hb);
26804 - atomic_inc(&vcc->stats->rx);
26805 + atomic_inc_unchecked(&vcc->stats->rx);
26809 diff -urNp linux-2.6.32.43/drivers/atm/solos-pci.c linux-2.6.32.43/drivers/atm/solos-pci.c
26810 --- linux-2.6.32.43/drivers/atm/solos-pci.c 2011-04-17 17:00:52.000000000 -0400
26811 +++ linux-2.6.32.43/drivers/atm/solos-pci.c 2011-05-16 21:46:57.000000000 -0400
26812 @@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
26814 atm_charge(vcc, skb->truesize);
26815 vcc->push(vcc, skb);
26816 - atomic_inc(&vcc->stats->rx);
26817 + atomic_inc_unchecked(&vcc->stats->rx);
26821 @@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
26825 + pax_track_stack();
26828 for (i = 0; i < len; i++){
26830 @@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
26831 vcc = SKB_CB(oldskb)->vcc;
26834 - atomic_inc(&vcc->stats->tx);
26835 + atomic_inc_unchecked(&vcc->stats->tx);
26836 solos_pop(vcc, oldskb);
26838 dev_kfree_skb_irq(oldskb);
26839 diff -urNp linux-2.6.32.43/drivers/atm/suni.c linux-2.6.32.43/drivers/atm/suni.c
26840 --- linux-2.6.32.43/drivers/atm/suni.c 2011-03-27 14:31:47.000000000 -0400
26841 +++ linux-2.6.32.43/drivers/atm/suni.c 2011-04-17 15:56:46.000000000 -0400
26842 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
26845 #define ADD_LIMITED(s,v) \
26846 - atomic_add((v),&stats->s); \
26847 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
26848 + atomic_add_unchecked((v),&stats->s); \
26849 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
26852 static void suni_hz(unsigned long from_timer)
26853 diff -urNp linux-2.6.32.43/drivers/atm/uPD98402.c linux-2.6.32.43/drivers/atm/uPD98402.c
26854 --- linux-2.6.32.43/drivers/atm/uPD98402.c 2011-03-27 14:31:47.000000000 -0400
26855 +++ linux-2.6.32.43/drivers/atm/uPD98402.c 2011-04-17 15:56:46.000000000 -0400
26856 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
26857 struct sonet_stats tmp;
26860 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
26861 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
26862 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
26863 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
26864 if (zero && !error) {
26865 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
26868 #define ADD_LIMITED(s,v) \
26869 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
26870 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
26871 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
26872 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
26873 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
26874 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
26877 static void stat_event(struct atm_dev *dev)
26878 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
26879 if (reason & uPD98402_INT_PFM) stat_event(dev);
26880 if (reason & uPD98402_INT_PCO) {
26881 (void) GET(PCOCR); /* clear interrupt cause */
26882 - atomic_add(GET(HECCT),
26883 + atomic_add_unchecked(GET(HECCT),
26884 &PRIV(dev)->sonet_stats.uncorr_hcs);
26886 if ((reason & uPD98402_INT_RFO) &&
26887 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
26888 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
26889 uPD98402_INT_LOS),PIMR); /* enable them */
26890 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
26891 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
26892 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
26893 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
26894 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
26895 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
26896 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
26900 diff -urNp linux-2.6.32.43/drivers/atm/zatm.c linux-2.6.32.43/drivers/atm/zatm.c
26901 --- linux-2.6.32.43/drivers/atm/zatm.c 2011-03-27 14:31:47.000000000 -0400
26902 +++ linux-2.6.32.43/drivers/atm/zatm.c 2011-04-17 15:56:46.000000000 -0400
26903 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
26906 dev_kfree_skb_irq(skb);
26907 - if (vcc) atomic_inc(&vcc->stats->rx_err);
26908 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
26911 if (!atm_charge(vcc,skb->truesize)) {
26912 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
26914 ATM_SKB(skb)->vcc = vcc;
26915 vcc->push(vcc,skb);
26916 - atomic_inc(&vcc->stats->rx);
26917 + atomic_inc_unchecked(&vcc->stats->rx);
26919 zout(pos & 0xffff,MTA(mbx));
26920 #if 0 /* probably a stupid idea */
26921 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
26922 skb_queue_head(&zatm_vcc->backlog,skb);
26925 - atomic_inc(&vcc->stats->tx);
26926 + atomic_inc_unchecked(&vcc->stats->tx);
26927 wake_up(&zatm_vcc->tx_wait);
26930 diff -urNp linux-2.6.32.43/drivers/base/bus.c linux-2.6.32.43/drivers/base/bus.c
26931 --- linux-2.6.32.43/drivers/base/bus.c 2011-03-27 14:31:47.000000000 -0400
26932 +++ linux-2.6.32.43/drivers/base/bus.c 2011-04-17 15:56:46.000000000 -0400
26933 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
26937 -static struct sysfs_ops driver_sysfs_ops = {
26938 +static const struct sysfs_ops driver_sysfs_ops = {
26939 .show = drv_attr_show,
26940 .store = drv_attr_store,
26942 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
26946 -static struct sysfs_ops bus_sysfs_ops = {
26947 +static const struct sysfs_ops bus_sysfs_ops = {
26948 .show = bus_attr_show,
26949 .store = bus_attr_store,
26951 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
26955 -static struct kset_uevent_ops bus_uevent_ops = {
26956 +static const struct kset_uevent_ops bus_uevent_ops = {
26957 .filter = bus_uevent_filter,
26960 diff -urNp linux-2.6.32.43/drivers/base/class.c linux-2.6.32.43/drivers/base/class.c
26961 --- linux-2.6.32.43/drivers/base/class.c 2011-03-27 14:31:47.000000000 -0400
26962 +++ linux-2.6.32.43/drivers/base/class.c 2011-04-17 15:56:46.000000000 -0400
26963 @@ -63,7 +63,7 @@ static void class_release(struct kobject
26967 -static struct sysfs_ops class_sysfs_ops = {
26968 +static const struct sysfs_ops class_sysfs_ops = {
26969 .show = class_attr_show,
26970 .store = class_attr_store,
26972 diff -urNp linux-2.6.32.43/drivers/base/core.c linux-2.6.32.43/drivers/base/core.c
26973 --- linux-2.6.32.43/drivers/base/core.c 2011-03-27 14:31:47.000000000 -0400
26974 +++ linux-2.6.32.43/drivers/base/core.c 2011-04-17 15:56:46.000000000 -0400
26975 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
26979 -static struct sysfs_ops dev_sysfs_ops = {
26980 +static const struct sysfs_ops dev_sysfs_ops = {
26981 .show = dev_attr_show,
26982 .store = dev_attr_store,
26984 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
26988 -static struct kset_uevent_ops device_uevent_ops = {
26989 +static const struct kset_uevent_ops device_uevent_ops = {
26990 .filter = dev_uevent_filter,
26991 .name = dev_uevent_name,
26992 .uevent = dev_uevent,
26993 diff -urNp linux-2.6.32.43/drivers/base/memory.c linux-2.6.32.43/drivers/base/memory.c
26994 --- linux-2.6.32.43/drivers/base/memory.c 2011-03-27 14:31:47.000000000 -0400
26995 +++ linux-2.6.32.43/drivers/base/memory.c 2011-04-17 15:56:46.000000000 -0400
26996 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
27000 -static struct kset_uevent_ops memory_uevent_ops = {
27001 +static const struct kset_uevent_ops memory_uevent_ops = {
27002 .name = memory_uevent_name,
27003 .uevent = memory_uevent,
27005 diff -urNp linux-2.6.32.43/drivers/base/sys.c linux-2.6.32.43/drivers/base/sys.c
27006 --- linux-2.6.32.43/drivers/base/sys.c 2011-03-27 14:31:47.000000000 -0400
27007 +++ linux-2.6.32.43/drivers/base/sys.c 2011-04-17 15:56:46.000000000 -0400
27008 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
27012 -static struct sysfs_ops sysfs_ops = {
27013 +static const struct sysfs_ops sysfs_ops = {
27014 .show = sysdev_show,
27015 .store = sysdev_store,
27017 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
27021 -static struct sysfs_ops sysfs_class_ops = {
27022 +static const struct sysfs_ops sysfs_class_ops = {
27023 .show = sysdev_class_show,
27024 .store = sysdev_class_store,
27026 diff -urNp linux-2.6.32.43/drivers/block/cciss.c linux-2.6.32.43/drivers/block/cciss.c
27027 --- linux-2.6.32.43/drivers/block/cciss.c 2011-03-27 14:31:47.000000000 -0400
27028 +++ linux-2.6.32.43/drivers/block/cciss.c 2011-08-05 20:33:55.000000000 -0400
27029 @@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
27033 + memset(&arg64, 0, sizeof(arg64));
27037 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27038 @@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
27039 /* Wait (up to 20 seconds) for a command to complete */
27041 for (i = 20 * HZ; i > 0; i--) {
27042 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
27043 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
27044 if (done == FIFO_EMPTY)
27045 schedule_timeout_uninterruptible(1);
27047 @@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
27050 /* Disable interrupt on the board. */
27051 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
27052 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
27054 /* Make sure there is room in the command FIFO */
27055 /* Actually it should be completely empty at this time */
27056 @@ -2884,13 +2886,13 @@ resend_cmd1:
27057 /* tape side of the driver. */
27058 for (i = 200000; i > 0; i--) {
27059 /* if fifo isn't full go */
27060 - if (!(h->access.fifo_full(h)))
27061 + if (!(h->access->fifo_full(h)))
27064 printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
27065 " waiting!\n", h->ctlr);
27067 - h->access.submit_command(h, c); /* Send the cmd */
27068 + h->access->submit_command(h, c); /* Send the cmd */
27070 complete = pollcomplete(h->ctlr);
27072 @@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
27073 while (!hlist_empty(&h->reqQ)) {
27074 c = hlist_entry(h->reqQ.first, CommandList_struct, list);
27075 /* can't do anything if fifo is full */
27076 - if ((h->access.fifo_full(h))) {
27077 + if ((h->access->fifo_full(h))) {
27078 printk(KERN_WARNING "cciss: fifo full\n");
27081 @@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
27084 /* Tell the controller execute command */
27085 - h->access.submit_command(h, c);
27086 + h->access->submit_command(h, c);
27088 /* Put job onto the completed Q */
27090 @@ -3393,17 +3395,17 @@ startio:
27092 static inline unsigned long get_next_completion(ctlr_info_t *h)
27094 - return h->access.command_completed(h);
27095 + return h->access->command_completed(h);
27098 static inline int interrupt_pending(ctlr_info_t *h)
27100 - return h->access.intr_pending(h);
27101 + return h->access->intr_pending(h);
27104 static inline long interrupt_not_for_us(ctlr_info_t *h)
27106 - return (((h->access.intr_pending(h) == 0) ||
27107 + return (((h->access->intr_pending(h) == 0) ||
27108 (h->interrupts_enabled == 0)));
27111 @@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
27113 c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
27114 c->product_name = products[prod_index].product_name;
27115 - c->access = *(products[prod_index].access);
27116 + c->access = products[prod_index].access;
27117 c->nr_cmds = c->max_commands - 4;
27118 if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
27119 (readb(&c->cfgtable->Signature[1]) != 'I') ||
27120 @@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
27123 /* make sure the board interrupts are off */
27124 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
27125 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
27126 if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
27127 IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
27128 printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
27129 @@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
27130 cciss_scsi_setup(i);
27132 /* Turn the interrupts on so we can service requests */
27133 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
27134 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
27136 /* Get the firmware version */
27137 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
27138 diff -urNp linux-2.6.32.43/drivers/block/cciss.h linux-2.6.32.43/drivers/block/cciss.h
27139 --- linux-2.6.32.43/drivers/block/cciss.h 2011-04-17 17:00:52.000000000 -0400
27140 +++ linux-2.6.32.43/drivers/block/cciss.h 2011-08-05 20:33:55.000000000 -0400
27141 @@ -90,7 +90,7 @@ struct ctlr_info
27142 // information about each logical volume
27143 drive_info_struct *drv[CISS_MAX_LUN];
27145 - struct access_method access;
27146 + struct access_method *access;
27148 /* queue and queue Info */
27149 struct hlist_head reqQ;
27150 diff -urNp linux-2.6.32.43/drivers/block/cpqarray.c linux-2.6.32.43/drivers/block/cpqarray.c
27151 --- linux-2.6.32.43/drivers/block/cpqarray.c 2011-03-27 14:31:47.000000000 -0400
27152 +++ linux-2.6.32.43/drivers/block/cpqarray.c 2011-08-05 20:33:55.000000000 -0400
27153 @@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
27154 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
27157 - hba[i]->access.set_intr_mask(hba[i], 0);
27158 + hba[i]->access->set_intr_mask(hba[i], 0);
27159 if (request_irq(hba[i]->intr, do_ida_intr,
27160 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
27162 @@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
27163 add_timer(&hba[i]->timer);
27165 /* Enable IRQ now that spinlock and rate limit timer are set up */
27166 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
27167 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
27169 for(j=0; j<NWD; j++) {
27170 struct gendisk *disk = ida_gendisk[i][j];
27171 @@ -695,7 +695,7 @@ DBGINFO(
27172 for(i=0; i<NR_PRODUCTS; i++) {
27173 if (board_id == products[i].board_id) {
27174 c->product_name = products[i].product_name;
27175 - c->access = *(products[i].access);
27176 + c->access = products[i].access;
27180 @@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
27181 hba[ctlr]->intr = intr;
27182 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
27183 hba[ctlr]->product_name = products[j].product_name;
27184 - hba[ctlr]->access = *(products[j].access);
27185 + hba[ctlr]->access = products[j].access;
27186 hba[ctlr]->ctlr = ctlr;
27187 hba[ctlr]->board_id = board_id;
27188 hba[ctlr]->pci_dev = NULL; /* not PCI */
27189 @@ -896,6 +896,8 @@ static void do_ida_request(struct reques
27190 struct scatterlist tmp_sg[SG_MAX];
27193 + pax_track_stack();
27195 if (blk_queue_plugged(q))
27198 @@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
27200 while((c = h->reqQ) != NULL) {
27201 /* Can't do anything if we're busy */
27202 - if (h->access.fifo_full(h) == 0)
27203 + if (h->access->fifo_full(h) == 0)
27206 /* Get the first entry from the request Q */
27207 @@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
27210 /* Tell the controller to do our bidding */
27211 - h->access.submit_command(h, c);
27212 + h->access->submit_command(h, c);
27214 /* Get onto the completion Q */
27216 @@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
27217 unsigned long flags;
27220 - istat = h->access.intr_pending(h);
27221 + istat = h->access->intr_pending(h);
27222 /* Is this interrupt for us? */
27225 @@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
27227 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
27228 if (istat & FIFO_NOT_EMPTY) {
27229 - while((a = h->access.command_completed(h))) {
27230 + while((a = h->access->command_completed(h))) {
27232 if ((c = h->cmpQ) == NULL)
27234 @@ -1434,11 +1436,11 @@ static int sendcmd(
27236 * Disable interrupt
27238 - info_p->access.set_intr_mask(info_p, 0);
27239 + info_p->access->set_intr_mask(info_p, 0);
27240 /* Make sure there is room in the command FIFO */
27241 /* Actually it should be completely empty at this time. */
27242 for (i = 200000; i > 0; i--) {
27243 - temp = info_p->access.fifo_full(info_p);
27244 + temp = info_p->access->fifo_full(info_p);
27248 @@ -1451,7 +1453,7 @@ DBG(
27252 - info_p->access.submit_command(info_p, c);
27253 + info_p->access->submit_command(info_p, c);
27254 complete = pollcomplete(ctlr);
27256 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
27257 @@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
27258 * we check the new geometry. Then turn interrupts back on when
27261 - host->access.set_intr_mask(host, 0);
27262 + host->access->set_intr_mask(host, 0);
27264 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
27265 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
27267 for(i=0; i<NWD; i++) {
27268 struct gendisk *disk = ida_gendisk[ctlr][i];
27269 @@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
27270 /* Wait (up to 2 seconds) for a command to complete */
27272 for (i = 200000; i > 0; i--) {
27273 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
27274 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
27276 udelay(10); /* a short fixed delay */
27278 diff -urNp linux-2.6.32.43/drivers/block/cpqarray.h linux-2.6.32.43/drivers/block/cpqarray.h
27279 --- linux-2.6.32.43/drivers/block/cpqarray.h 2011-03-27 14:31:47.000000000 -0400
27280 +++ linux-2.6.32.43/drivers/block/cpqarray.h 2011-08-05 20:33:55.000000000 -0400
27281 @@ -99,7 +99,7 @@ struct ctlr_info {
27282 drv_info_t drv[NWD];
27283 struct proc_dir_entry *proc;
27285 - struct access_method access;
27286 + struct access_method *access;
27290 diff -urNp linux-2.6.32.43/drivers/block/DAC960.c linux-2.6.32.43/drivers/block/DAC960.c
27291 --- linux-2.6.32.43/drivers/block/DAC960.c 2011-03-27 14:31:47.000000000 -0400
27292 +++ linux-2.6.32.43/drivers/block/DAC960.c 2011-05-16 21:46:57.000000000 -0400
27293 @@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27294 unsigned long flags;
27295 int Channel, TargetID;
27297 + pax_track_stack();
27299 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
27300 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
27301 sizeof(DAC960_SCSI_Inquiry_T) +
27302 diff -urNp linux-2.6.32.43/drivers/block/nbd.c linux-2.6.32.43/drivers/block/nbd.c
27303 --- linux-2.6.32.43/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400
27304 +++ linux-2.6.32.43/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400
27305 @@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
27307 sigset_t blocked, oldset;
27309 + pax_track_stack();
27311 if (unlikely(!sock)) {
27312 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
27313 lo->disk->disk_name, (send ? "send" : "recv"));
27314 @@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
27315 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
27316 unsigned int cmd, unsigned long arg)
27318 + pax_track_stack();
27321 case NBD_DISCONNECT: {
27322 struct request sreq;
27323 diff -urNp linux-2.6.32.43/drivers/block/pktcdvd.c linux-2.6.32.43/drivers/block/pktcdvd.c
27324 --- linux-2.6.32.43/drivers/block/pktcdvd.c 2011-03-27 14:31:47.000000000 -0400
27325 +++ linux-2.6.32.43/drivers/block/pktcdvd.c 2011-04-17 15:56:46.000000000 -0400
27326 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
27330 -static struct sysfs_ops kobj_pkt_ops = {
27331 +static const struct sysfs_ops kobj_pkt_ops = {
27332 .show = kobj_pkt_show,
27333 .store = kobj_pkt_store
27335 diff -urNp linux-2.6.32.43/drivers/char/agp/frontend.c linux-2.6.32.43/drivers/char/agp/frontend.c
27336 --- linux-2.6.32.43/drivers/char/agp/frontend.c 2011-03-27 14:31:47.000000000 -0400
27337 +++ linux-2.6.32.43/drivers/char/agp/frontend.c 2011-04-17 15:56:46.000000000 -0400
27338 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
27339 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
27342 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
27343 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
27346 client = agp_find_client_by_pid(reserve.pid);
27347 diff -urNp linux-2.6.32.43/drivers/char/briq_panel.c linux-2.6.32.43/drivers/char/briq_panel.c
27348 --- linux-2.6.32.43/drivers/char/briq_panel.c 2011-03-27 14:31:47.000000000 -0400
27349 +++ linux-2.6.32.43/drivers/char/briq_panel.c 2011-04-18 19:48:57.000000000 -0400
27351 #include <linux/types.h>
27352 #include <linux/errno.h>
27353 #include <linux/tty.h>
27354 +#include <linux/mutex.h>
27355 #include <linux/timer.h>
27356 #include <linux/kernel.h>
27357 #include <linux/wait.h>
27358 @@ -36,6 +37,7 @@ static int vfd_is_open;
27359 static unsigned char vfd[40];
27360 static int vfd_cursor;
27361 static unsigned char ledpb, led;
27362 +static DEFINE_MUTEX(vfd_mutex);
27364 static void update_vfd(void)
27366 @@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
27370 + mutex_lock(&vfd_mutex);
27375 - if (get_user(c, buf))
27376 + if (get_user(c, buf)) {
27377 + mutex_unlock(&vfd_mutex);
27383 @@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
27387 + mutex_unlock(&vfd_mutex);
27391 diff -urNp linux-2.6.32.43/drivers/char/genrtc.c linux-2.6.32.43/drivers/char/genrtc.c
27392 --- linux-2.6.32.43/drivers/char/genrtc.c 2011-03-27 14:31:47.000000000 -0400
27393 +++ linux-2.6.32.43/drivers/char/genrtc.c 2011-04-18 19:45:42.000000000 -0400
27394 @@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
27398 + memset(&pll, 0, sizeof(pll));
27399 if (get_rtc_pll(&pll))
27402 diff -urNp linux-2.6.32.43/drivers/char/hpet.c linux-2.6.32.43/drivers/char/hpet.c
27403 --- linux-2.6.32.43/drivers/char/hpet.c 2011-03-27 14:31:47.000000000 -0400
27404 +++ linux-2.6.32.43/drivers/char/hpet.c 2011-04-23 12:56:11.000000000 -0400
27405 @@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
27409 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
27410 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
27413 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
27414 @@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
27418 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
27419 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
27421 struct hpet_timer __iomem *timer;
27422 struct hpet __iomem *hpet;
27423 @@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
27425 struct hpet_info info;
27427 + memset(&info, 0, sizeof(info));
27429 if (devp->hd_ireqfreq)
27431 hpet_time_div(hpetp, devp->hd_ireqfreq);
27433 - info.hi_ireqfreq = 0;
27435 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
27436 info.hi_hpet = hpetp->hp_which;
27437 diff -urNp linux-2.6.32.43/drivers/char/hvc_beat.c linux-2.6.32.43/drivers/char/hvc_beat.c
27438 --- linux-2.6.32.43/drivers/char/hvc_beat.c 2011-03-27 14:31:47.000000000 -0400
27439 +++ linux-2.6.32.43/drivers/char/hvc_beat.c 2011-04-17 15:56:46.000000000 -0400
27440 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
27444 -static struct hv_ops hvc_beat_get_put_ops = {
27445 +static const struct hv_ops hvc_beat_get_put_ops = {
27446 .get_chars = hvc_beat_get_chars,
27447 .put_chars = hvc_beat_put_chars,
27449 diff -urNp linux-2.6.32.43/drivers/char/hvc_console.c linux-2.6.32.43/drivers/char/hvc_console.c
27450 --- linux-2.6.32.43/drivers/char/hvc_console.c 2011-03-27 14:31:47.000000000 -0400
27451 +++ linux-2.6.32.43/drivers/char/hvc_console.c 2011-04-17 15:56:46.000000000 -0400
27452 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
27453 * console interfaces but can still be used as a tty device. This has to be
27454 * static because kmalloc will not work during early console init.
27456 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
27457 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
27458 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
27459 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
27461 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
27462 * vty adapters do NOT get an hvc_instantiate() callback since they
27463 * appear after early console init.
27465 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
27466 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
27468 struct hvc_struct *hp;
27470 @@ -756,7 +756,7 @@ static const struct tty_operations hvc_o
27473 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
27474 - struct hv_ops *ops, int outbuf_size)
27475 + const struct hv_ops *ops, int outbuf_size)
27477 struct hvc_struct *hp;
27479 diff -urNp linux-2.6.32.43/drivers/char/hvc_console.h linux-2.6.32.43/drivers/char/hvc_console.h
27480 --- linux-2.6.32.43/drivers/char/hvc_console.h 2011-03-27 14:31:47.000000000 -0400
27481 +++ linux-2.6.32.43/drivers/char/hvc_console.h 2011-04-17 15:56:46.000000000 -0400
27482 @@ -55,7 +55,7 @@ struct hvc_struct {
27486 - struct hv_ops *ops;
27487 + const struct hv_ops *ops;
27491 @@ -76,11 +76,11 @@ struct hv_ops {
27494 /* Register a vterm and a slot index for use as a console (console_init) */
27495 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
27496 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
27498 /* register a vterm for hvc tty operation (module_init or hotplug add) */
27499 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
27500 - struct hv_ops *ops, int outbuf_size);
27501 + const struct hv_ops *ops, int outbuf_size);
27502 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
27503 extern int hvc_remove(struct hvc_struct *hp);
27505 diff -urNp linux-2.6.32.43/drivers/char/hvc_iseries.c linux-2.6.32.43/drivers/char/hvc_iseries.c
27506 --- linux-2.6.32.43/drivers/char/hvc_iseries.c 2011-03-27 14:31:47.000000000 -0400
27507 +++ linux-2.6.32.43/drivers/char/hvc_iseries.c 2011-04-17 15:56:46.000000000 -0400
27508 @@ -197,7 +197,7 @@ done:
27512 -static struct hv_ops hvc_get_put_ops = {
27513 +static const struct hv_ops hvc_get_put_ops = {
27514 .get_chars = get_chars,
27515 .put_chars = put_chars,
27516 .notifier_add = notifier_add_irq,
27517 diff -urNp linux-2.6.32.43/drivers/char/hvc_iucv.c linux-2.6.32.43/drivers/char/hvc_iucv.c
27518 --- linux-2.6.32.43/drivers/char/hvc_iucv.c 2011-03-27 14:31:47.000000000 -0400
27519 +++ linux-2.6.32.43/drivers/char/hvc_iucv.c 2011-04-17 15:56:46.000000000 -0400
27520 @@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
27523 /* HVC operations */
27524 -static struct hv_ops hvc_iucv_ops = {
27525 +static const struct hv_ops hvc_iucv_ops = {
27526 .get_chars = hvc_iucv_get_chars,
27527 .put_chars = hvc_iucv_put_chars,
27528 .notifier_add = hvc_iucv_notifier_add,
27529 diff -urNp linux-2.6.32.43/drivers/char/hvc_rtas.c linux-2.6.32.43/drivers/char/hvc_rtas.c
27530 --- linux-2.6.32.43/drivers/char/hvc_rtas.c 2011-03-27 14:31:47.000000000 -0400
27531 +++ linux-2.6.32.43/drivers/char/hvc_rtas.c 2011-04-17 15:56:46.000000000 -0400
27532 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
27536 -static struct hv_ops hvc_rtas_get_put_ops = {
27537 +static const struct hv_ops hvc_rtas_get_put_ops = {
27538 .get_chars = hvc_rtas_read_console,
27539 .put_chars = hvc_rtas_write_console,
27541 diff -urNp linux-2.6.32.43/drivers/char/hvcs.c linux-2.6.32.43/drivers/char/hvcs.c
27542 --- linux-2.6.32.43/drivers/char/hvcs.c 2011-03-27 14:31:47.000000000 -0400
27543 +++ linux-2.6.32.43/drivers/char/hvcs.c 2011-04-17 15:56:46.000000000 -0400
27545 #include <asm/hvcserver.h>
27546 #include <asm/uaccess.h>
27547 #include <asm/vio.h>
27548 +#include <asm/local.h>
27551 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
27552 @@ -269,7 +270,7 @@ struct hvcs_struct {
27553 unsigned int index;
27555 struct tty_struct *tty;
27557 + local_t open_count;
27560 * Used to tell the driver kernel_thread what operations need to take
27561 @@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
27563 spin_lock_irqsave(&hvcsd->lock, flags);
27565 - if (hvcsd->open_count > 0) {
27566 + if (local_read(&hvcsd->open_count) > 0) {
27567 spin_unlock_irqrestore(&hvcsd->lock, flags);
27568 printk(KERN_INFO "HVCS: vterm state unchanged. "
27569 "The hvcs device node is still in use.\n");
27570 @@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
27571 if ((retval = hvcs_partner_connect(hvcsd)))
27572 goto error_release;
27574 - hvcsd->open_count = 1;
27575 + local_set(&hvcsd->open_count, 1);
27577 tty->driver_data = hvcsd;
27579 @@ -1169,7 +1170,7 @@ fast_open:
27581 spin_lock_irqsave(&hvcsd->lock, flags);
27582 kref_get(&hvcsd->kref);
27583 - hvcsd->open_count++;
27584 + local_inc(&hvcsd->open_count);
27585 hvcsd->todo_mask |= HVCS_SCHED_READ;
27586 spin_unlock_irqrestore(&hvcsd->lock, flags);
27588 @@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
27589 hvcsd = tty->driver_data;
27591 spin_lock_irqsave(&hvcsd->lock, flags);
27592 - if (--hvcsd->open_count == 0) {
27593 + if (local_dec_and_test(&hvcsd->open_count)) {
27595 vio_disable_interrupts(hvcsd->vdev);
27597 @@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
27598 free_irq(irq, hvcsd);
27599 kref_put(&hvcsd->kref, destroy_hvcs_struct);
27601 - } else if (hvcsd->open_count < 0) {
27602 + } else if (local_read(&hvcsd->open_count) < 0) {
27603 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
27604 " is missmanaged.\n",
27605 - hvcsd->vdev->unit_address, hvcsd->open_count);
27606 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
27609 spin_unlock_irqrestore(&hvcsd->lock, flags);
27610 @@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
27612 spin_lock_irqsave(&hvcsd->lock, flags);
27613 /* Preserve this so that we know how many kref refs to put */
27614 - temp_open_count = hvcsd->open_count;
27615 + temp_open_count = local_read(&hvcsd->open_count);
27618 * Don't kref put inside the spinlock because the destruction
27619 @@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
27620 hvcsd->tty->driver_data = NULL;
27623 - hvcsd->open_count = 0;
27624 + local_set(&hvcsd->open_count, 0);
27626 /* This will drop any buffered data on the floor which is OK in a hangup
27628 @@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
27629 * the middle of a write operation? This is a crummy place to do this
27630 * but we want to keep it all in the spinlock.
27632 - if (hvcsd->open_count <= 0) {
27633 + if (local_read(&hvcsd->open_count) <= 0) {
27634 spin_unlock_irqrestore(&hvcsd->lock, flags);
27637 @@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
27639 struct hvcs_struct *hvcsd = tty->driver_data;
27641 - if (!hvcsd || hvcsd->open_count <= 0)
27642 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
27645 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
27646 diff -urNp linux-2.6.32.43/drivers/char/hvc_udbg.c linux-2.6.32.43/drivers/char/hvc_udbg.c
27647 --- linux-2.6.32.43/drivers/char/hvc_udbg.c 2011-03-27 14:31:47.000000000 -0400
27648 +++ linux-2.6.32.43/drivers/char/hvc_udbg.c 2011-04-17 15:56:46.000000000 -0400
27649 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
27653 -static struct hv_ops hvc_udbg_ops = {
27654 +static const struct hv_ops hvc_udbg_ops = {
27655 .get_chars = hvc_udbg_get,
27656 .put_chars = hvc_udbg_put,
27658 diff -urNp linux-2.6.32.43/drivers/char/hvc_vio.c linux-2.6.32.43/drivers/char/hvc_vio.c
27659 --- linux-2.6.32.43/drivers/char/hvc_vio.c 2011-03-27 14:31:47.000000000 -0400
27660 +++ linux-2.6.32.43/drivers/char/hvc_vio.c 2011-04-17 15:56:46.000000000 -0400
27661 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
27665 -static struct hv_ops hvc_get_put_ops = {
27666 +static const struct hv_ops hvc_get_put_ops = {
27667 .get_chars = filtered_get_chars,
27668 .put_chars = hvc_put_chars,
27669 .notifier_add = notifier_add_irq,
27670 diff -urNp linux-2.6.32.43/drivers/char/hvc_xen.c linux-2.6.32.43/drivers/char/hvc_xen.c
27671 --- linux-2.6.32.43/drivers/char/hvc_xen.c 2011-03-27 14:31:47.000000000 -0400
27672 +++ linux-2.6.32.43/drivers/char/hvc_xen.c 2011-04-17 15:56:46.000000000 -0400
27673 @@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
27677 -static struct hv_ops hvc_ops = {
27678 +static const struct hv_ops hvc_ops = {
27679 .get_chars = read_console,
27680 .put_chars = write_console,
27681 .notifier_add = notifier_add_irq,
27682 diff -urNp linux-2.6.32.43/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.43/drivers/char/ipmi/ipmi_msghandler.c
27683 --- linux-2.6.32.43/drivers/char/ipmi/ipmi_msghandler.c 2011-03-27 14:31:47.000000000 -0400
27684 +++ linux-2.6.32.43/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:46:57.000000000 -0400
27685 @@ -414,7 +414,7 @@ struct ipmi_smi {
27686 struct proc_dir_entry *proc_dir;
27687 char proc_dir_name[10];
27689 - atomic_t stats[IPMI_NUM_STATS];
27690 + atomic_unchecked_t stats[IPMI_NUM_STATS];
27693 * run_to_completion duplicate of smb_info, smi_info
27694 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
27697 #define ipmi_inc_stat(intf, stat) \
27698 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
27699 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
27700 #define ipmi_get_stat(intf, stat) \
27701 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
27702 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
27704 static int is_lan_addr(struct ipmi_addr *addr)
27706 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
27707 INIT_LIST_HEAD(&intf->cmd_rcvrs);
27708 init_waitqueue_head(&intf->waitq);
27709 for (i = 0; i < IPMI_NUM_STATS; i++)
27710 - atomic_set(&intf->stats[i], 0);
27711 + atomic_set_unchecked(&intf->stats[i], 0);
27713 intf->proc_dir = NULL;
27715 @@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
27716 struct ipmi_smi_msg smi_msg;
27717 struct ipmi_recv_msg recv_msg;
27719 + pax_track_stack();
27721 si = (struct ipmi_system_interface_addr *) &addr;
27722 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
27723 si->channel = IPMI_BMC_CHANNEL;
27724 diff -urNp linux-2.6.32.43/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.43/drivers/char/ipmi/ipmi_si_intf.c
27725 --- linux-2.6.32.43/drivers/char/ipmi/ipmi_si_intf.c 2011-03-27 14:31:47.000000000 -0400
27726 +++ linux-2.6.32.43/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:56:46.000000000 -0400
27727 @@ -277,7 +277,7 @@ struct smi_info {
27728 unsigned char slave_addr;
27730 /* Counters and things for the proc filesystem. */
27731 - atomic_t stats[SI_NUM_STATS];
27732 + atomic_unchecked_t stats[SI_NUM_STATS];
27734 struct task_struct *thread;
27736 @@ -285,9 +285,9 @@ struct smi_info {
27739 #define smi_inc_stat(smi, stat) \
27740 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
27741 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
27742 #define smi_get_stat(smi, stat) \
27743 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
27744 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
27746 #define SI_MAX_PARMS 4
27748 @@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
27749 atomic_set(&new_smi->req_events, 0);
27750 new_smi->run_to_completion = 0;
27751 for (i = 0; i < SI_NUM_STATS; i++)
27752 - atomic_set(&new_smi->stats[i], 0);
27753 + atomic_set_unchecked(&new_smi->stats[i], 0);
27755 new_smi->interrupt_disabled = 0;
27756 atomic_set(&new_smi->stop_operation, 0);
27757 diff -urNp linux-2.6.32.43/drivers/char/istallion.c linux-2.6.32.43/drivers/char/istallion.c
27758 --- linux-2.6.32.43/drivers/char/istallion.c 2011-03-27 14:31:47.000000000 -0400
27759 +++ linux-2.6.32.43/drivers/char/istallion.c 2011-05-16 21:46:57.000000000 -0400
27760 @@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
27761 * re-used for each stats call.
27763 static comstats_t stli_comstats;
27764 -static combrd_t stli_brdstats;
27765 static struct asystats stli_cdkstats;
27767 /*****************************************************************************/
27768 @@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
27770 struct stlibrd *brdp;
27772 + combrd_t stli_brdstats;
27774 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
27776 @@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
27777 struct stliport stli_dummyport;
27778 struct stliport *portp;
27780 + pax_track_stack();
27782 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
27784 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
27785 @@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
27786 struct stlibrd stli_dummybrd;
27787 struct stlibrd *brdp;
27789 + pax_track_stack();
27791 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
27793 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
27794 diff -urNp linux-2.6.32.43/drivers/char/Kconfig linux-2.6.32.43/drivers/char/Kconfig
27795 --- linux-2.6.32.43/drivers/char/Kconfig 2011-03-27 14:31:47.000000000 -0400
27796 +++ linux-2.6.32.43/drivers/char/Kconfig 2011-04-18 19:20:15.000000000 -0400
27797 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
27800 bool "/dev/kmem virtual device support"
27803 + depends on !GRKERNSEC_KMEM
27805 Say Y here if you want to support the /dev/kmem device. The
27806 /dev/kmem device is rarely used, but can be used for certain
27807 @@ -1114,6 +1115,7 @@ config DEVPORT
27810 depends on ISA || PCI
27811 + depends on !GRKERNSEC_KMEM
27814 source "drivers/s390/char/Kconfig"
27815 diff -urNp linux-2.6.32.43/drivers/char/keyboard.c linux-2.6.32.43/drivers/char/keyboard.c
27816 --- linux-2.6.32.43/drivers/char/keyboard.c 2011-03-27 14:31:47.000000000 -0400
27817 +++ linux-2.6.32.43/drivers/char/keyboard.c 2011-04-17 15:56:46.000000000 -0400
27818 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
27819 kbd->kbdmode == VC_MEDIUMRAW) &&
27820 value != KVAL(K_SAK))
27821 return; /* SAK is allowed even in raw mode */
27823 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
27825 + void *func = fn_handler[value];
27826 + if (func == fn_show_state || func == fn_show_ptregs ||
27827 + func == fn_show_mem)
27832 fn_handler[value](vc);
27835 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
27836 .evbit = { BIT_MASK(EV_SND) },
27839 - { }, /* Terminating entry */
27840 + { 0 }, /* Terminating entry */
27843 MODULE_DEVICE_TABLE(input, kbd_ids);
27844 diff -urNp linux-2.6.32.43/drivers/char/mem.c linux-2.6.32.43/drivers/char/mem.c
27845 --- linux-2.6.32.43/drivers/char/mem.c 2011-03-27 14:31:47.000000000 -0400
27846 +++ linux-2.6.32.43/drivers/char/mem.c 2011-04-17 15:56:46.000000000 -0400
27848 #include <linux/raw.h>
27849 #include <linux/tty.h>
27850 #include <linux/capability.h>
27851 +#include <linux/security.h>
27852 #include <linux/ptrace.h>
27853 #include <linux/device.h>
27854 #include <linux/highmem.h>
27856 # include <linux/efi.h>
27859 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
27860 +extern struct file_operations grsec_fops;
27863 static inline unsigned long size_inside_page(unsigned long start,
27864 unsigned long size)
27866 @@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
27868 while (cursor < to) {
27869 if (!devmem_is_allowed(pfn)) {
27870 +#ifdef CONFIG_GRKERNSEC_KMEM
27871 + gr_handle_mem_readwrite(from, to);
27874 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
27875 current->comm, from, to);
27879 cursor += PAGE_SIZE;
27880 @@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
27884 +#elif defined(CONFIG_GRKERNSEC_KMEM)
27885 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
27890 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
27892 @@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
27895 while (count > 0) {
27899 * Handle first page in case it's not aligned
27901 @@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
27905 - if (copy_to_user(buf, ptr, sz)) {
27906 +#ifdef CONFIG_PAX_USERCOPY
27907 + temp = kmalloc(sz, GFP_KERNEL);
27909 + unxlate_dev_mem_ptr(p, ptr);
27912 + memcpy(temp, ptr, sz);
27917 + if (copy_to_user(buf, temp, sz)) {
27919 +#ifdef CONFIG_PAX_USERCOPY
27923 unxlate_dev_mem_ptr(p, ptr);
27927 +#ifdef CONFIG_PAX_USERCOPY
27931 unxlate_dev_mem_ptr(p, ptr);
27934 @@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
27935 size_t count, loff_t *ppos)
27937 unsigned long p = *ppos;
27938 - ssize_t low_count, read, sz;
27939 + ssize_t low_count, read, sz, err = 0;
27940 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
27944 if (p < (unsigned long) high_memory) {
27945 @@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
27948 while (low_count > 0) {
27951 sz = size_inside_page(p, low_count);
27954 @@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
27956 kbuf = xlate_dev_kmem_ptr((char *)p);
27958 - if (copy_to_user(buf, kbuf, sz))
27959 +#ifdef CONFIG_PAX_USERCOPY
27960 + temp = kmalloc(sz, GFP_KERNEL);
27963 + memcpy(temp, kbuf, sz);
27968 + err = copy_to_user(buf, temp, sz);
27970 +#ifdef CONFIG_PAX_USERCOPY
27978 @@ -889,6 +941,9 @@ static const struct memdev {
27979 #ifdef CONFIG_CRASH_DUMP
27980 [12] = { "oldmem", 0, &oldmem_fops, NULL },
27982 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
27983 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
27987 static int memory_open(struct inode *inode, struct file *filp)
27988 diff -urNp linux-2.6.32.43/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.43/drivers/char/pcmcia/ipwireless/tty.c
27989 --- linux-2.6.32.43/drivers/char/pcmcia/ipwireless/tty.c 2011-03-27 14:31:47.000000000 -0400
27990 +++ linux-2.6.32.43/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:56:46.000000000 -0400
27992 #include <linux/tty_driver.h>
27993 #include <linux/tty_flip.h>
27994 #include <linux/uaccess.h>
27995 +#include <asm/local.h>
27998 #include "network.h"
27999 @@ -51,7 +52,7 @@ struct ipw_tty {
28001 struct ipw_network *network;
28002 struct tty_struct *linux_tty;
28004 + local_t open_count;
28005 unsigned int control_lines;
28006 struct mutex ipw_tty_mutex;
28007 int tx_bytes_queued;
28008 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
28009 mutex_unlock(&tty->ipw_tty_mutex);
28012 - if (tty->open_count == 0)
28013 + if (local_read(&tty->open_count) == 0)
28014 tty->tx_bytes_queued = 0;
28016 - tty->open_count++;
28017 + local_inc(&tty->open_count);
28019 tty->linux_tty = linux_tty;
28020 linux_tty->driver_data = tty;
28021 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
28023 static void do_ipw_close(struct ipw_tty *tty)
28025 - tty->open_count--;
28027 - if (tty->open_count == 0) {
28028 + if (local_dec_return(&tty->open_count) == 0) {
28029 struct tty_struct *linux_tty = tty->linux_tty;
28031 if (linux_tty != NULL) {
28032 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
28035 mutex_lock(&tty->ipw_tty_mutex);
28036 - if (tty->open_count == 0) {
28037 + if (local_read(&tty->open_count) == 0) {
28038 mutex_unlock(&tty->ipw_tty_mutex);
28041 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
28045 - if (!tty->open_count) {
28046 + if (!local_read(&tty->open_count)) {
28047 mutex_unlock(&tty->ipw_tty_mutex);
28050 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
28053 mutex_lock(&tty->ipw_tty_mutex);
28054 - if (!tty->open_count) {
28055 + if (!local_read(&tty->open_count)) {
28056 mutex_unlock(&tty->ipw_tty_mutex);
28059 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
28063 - if (!tty->open_count)
28064 + if (!local_read(&tty->open_count))
28067 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
28068 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
28072 - if (!tty->open_count)
28073 + if (!local_read(&tty->open_count))
28076 return tty->tx_bytes_queued;
28077 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
28081 - if (!tty->open_count)
28082 + if (!local_read(&tty->open_count))
28085 return get_control_lines(tty);
28086 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
28090 - if (!tty->open_count)
28091 + if (!local_read(&tty->open_count))
28094 return set_control_lines(tty, set, clear);
28095 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
28099 - if (!tty->open_count)
28100 + if (!local_read(&tty->open_count))
28103 /* FIXME: Exactly how is the tty object locked here .. */
28104 @@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
28105 against a parallel ioctl etc */
28106 mutex_lock(&ttyj->ipw_tty_mutex);
28108 - while (ttyj->open_count)
28109 + while (local_read(&ttyj->open_count))
28110 do_ipw_close(ttyj);
28111 ipwireless_disassociate_network_ttys(network,
28112 ttyj->channel_idx);
28113 diff -urNp linux-2.6.32.43/drivers/char/pty.c linux-2.6.32.43/drivers/char/pty.c
28114 --- linux-2.6.32.43/drivers/char/pty.c 2011-03-27 14:31:47.000000000 -0400
28115 +++ linux-2.6.32.43/drivers/char/pty.c 2011-08-05 20:33:55.000000000 -0400
28116 @@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
28117 register_sysctl_table(pty_root_table);
28119 /* Now create the /dev/ptmx special device */
28120 + pax_open_kernel();
28121 tty_default_fops(&ptmx_fops);
28122 - ptmx_fops.open = ptmx_open;
28123 + *(void **)&ptmx_fops.open = ptmx_open;
28124 + pax_close_kernel();
28126 cdev_init(&ptmx_cdev, &ptmx_fops);
28127 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
28128 diff -urNp linux-2.6.32.43/drivers/char/random.c linux-2.6.32.43/drivers/char/random.c
28129 --- linux-2.6.32.43/drivers/char/random.c 2011-03-27 14:31:47.000000000 -0400
28130 +++ linux-2.6.32.43/drivers/char/random.c 2011-04-17 15:56:46.000000000 -0400
28131 @@ -254,8 +254,13 @@
28133 * Configuration information
28135 +#ifdef CONFIG_GRKERNSEC_RANDNET
28136 +#define INPUT_POOL_WORDS 512
28137 +#define OUTPUT_POOL_WORDS 128
28139 #define INPUT_POOL_WORDS 128
28140 #define OUTPUT_POOL_WORDS 32
28142 #define SEC_XFER_SIZE 512
28145 @@ -292,10 +297,17 @@ static struct poolinfo {
28147 int tap1, tap2, tap3, tap4, tap5;
28148 } poolinfo_table[] = {
28149 +#ifdef CONFIG_GRKERNSEC_RANDNET
28150 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28151 + { 512, 411, 308, 208, 104, 1 },
28152 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28153 + { 128, 103, 76, 51, 25, 1 },
28155 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28156 { 128, 103, 76, 51, 25, 1 },
28157 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28158 { 32, 26, 20, 14, 7, 1 },
28161 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28162 { 2048, 1638, 1231, 819, 411, 1 },
28163 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28164 #include <linux/sysctl.h>
28166 static int min_read_thresh = 8, min_write_thresh;
28167 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28168 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28169 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28170 static char sysctl_bootid[16];
28172 diff -urNp linux-2.6.32.43/drivers/char/rocket.c linux-2.6.32.43/drivers/char/rocket.c
28173 --- linux-2.6.32.43/drivers/char/rocket.c 2011-03-27 14:31:47.000000000 -0400
28174 +++ linux-2.6.32.43/drivers/char/rocket.c 2011-05-16 21:46:57.000000000 -0400
28175 @@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
28176 struct rocket_ports tmp;
28179 + pax_track_stack();
28183 memset(&tmp, 0, sizeof (tmp));
28184 diff -urNp linux-2.6.32.43/drivers/char/sonypi.c linux-2.6.32.43/drivers/char/sonypi.c
28185 --- linux-2.6.32.43/drivers/char/sonypi.c 2011-03-27 14:31:47.000000000 -0400
28186 +++ linux-2.6.32.43/drivers/char/sonypi.c 2011-04-17 15:56:46.000000000 -0400
28188 #include <asm/uaccess.h>
28189 #include <asm/io.h>
28190 #include <asm/system.h>
28191 +#include <asm/local.h>
28193 #include <linux/sonypi.h>
28195 @@ -491,7 +492,7 @@ static struct sonypi_device {
28196 spinlock_t fifo_lock;
28197 wait_queue_head_t fifo_proc_list;
28198 struct fasync_struct *fifo_async;
28200 + local_t open_count;
28202 struct input_dev *input_jog_dev;
28203 struct input_dev *input_key_dev;
28204 @@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
28205 static int sonypi_misc_release(struct inode *inode, struct file *file)
28207 mutex_lock(&sonypi_device.lock);
28208 - sonypi_device.open_count--;
28209 + local_dec(&sonypi_device.open_count);
28210 mutex_unlock(&sonypi_device.lock);
28213 @@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
28215 mutex_lock(&sonypi_device.lock);
28216 /* Flush input queue on first open */
28217 - if (!sonypi_device.open_count)
28218 + if (!local_read(&sonypi_device.open_count))
28219 kfifo_reset(sonypi_device.fifo);
28220 - sonypi_device.open_count++;
28221 + local_inc(&sonypi_device.open_count);
28222 mutex_unlock(&sonypi_device.lock);
28225 diff -urNp linux-2.6.32.43/drivers/char/stallion.c linux-2.6.32.43/drivers/char/stallion.c
28226 --- linux-2.6.32.43/drivers/char/stallion.c 2011-03-27 14:31:47.000000000 -0400
28227 +++ linux-2.6.32.43/drivers/char/stallion.c 2011-05-16 21:46:57.000000000 -0400
28228 @@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
28229 struct stlport stl_dummyport;
28230 struct stlport *portp;
28232 + pax_track_stack();
28234 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
28236 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
28237 diff -urNp linux-2.6.32.43/drivers/char/tpm/tpm_bios.c linux-2.6.32.43/drivers/char/tpm/tpm_bios.c
28238 --- linux-2.6.32.43/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400
28239 +++ linux-2.6.32.43/drivers/char/tpm/tpm_bios.c 2011-04-17 15:56:46.000000000 -0400
28240 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
28243 if ((event->event_type == 0 && event->event_size == 0) ||
28244 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28245 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28249 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
28252 if ((event->event_type == 0 && event->event_size == 0) ||
28253 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28254 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28258 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
28261 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28262 - seq_putc(m, data[i]);
28263 + if (!seq_putc(m, data[i]))
28268 @@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
28269 log->bios_event_log_end = log->bios_event_log + len;
28271 virt = acpi_os_map_memory(start, len);
28273 + kfree(log->bios_event_log);
28274 + log->bios_event_log = NULL;
28278 memcpy(log->bios_event_log, virt, len);
28280 diff -urNp linux-2.6.32.43/drivers/char/tpm/tpm.c linux-2.6.32.43/drivers/char/tpm/tpm.c
28281 --- linux-2.6.32.43/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400
28282 +++ linux-2.6.32.43/drivers/char/tpm/tpm.c 2011-05-16 21:46:57.000000000 -0400
28283 @@ -402,7 +402,7 @@ static ssize_t tpm_transmit(struct tpm_c
28284 chip->vendor.req_complete_val)
28287 - if ((status == chip->vendor.req_canceled)) {
28288 + if (status == chip->vendor.req_canceled) {
28289 dev_err(chip->dev, "Operation Canceled\n");
28292 @@ -821,6 +821,8 @@ ssize_t tpm_show_pubek(struct device *de
28294 struct tpm_chip *chip = dev_get_drvdata(dev);
28296 + pax_track_stack();
28298 tpm_cmd.header.in = tpm_readpubek_header;
28299 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28300 "attempting to read the PUBEK");
28301 diff -urNp linux-2.6.32.43/drivers/char/tty_io.c linux-2.6.32.43/drivers/char/tty_io.c
28302 --- linux-2.6.32.43/drivers/char/tty_io.c 2011-03-27 14:31:47.000000000 -0400
28303 +++ linux-2.6.32.43/drivers/char/tty_io.c 2011-08-05 20:33:55.000000000 -0400
28304 @@ -2582,8 +2582,10 @@ long tty_ioctl(struct file *file, unsign
28308 +EXPORT_SYMBOL(tty_ioctl);
28310 #ifdef CONFIG_COMPAT
28311 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28312 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28315 struct inode *inode = file->f_dentry->d_inode;
28316 @@ -2607,6 +2609,8 @@ static long tty_compat_ioctl(struct file
28321 +EXPORT_SYMBOL(tty_compat_ioctl);
28325 @@ -3052,7 +3056,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
28327 void tty_default_fops(struct file_operations *fops)
28329 - *fops = tty_fops;
28330 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
28334 diff -urNp linux-2.6.32.43/drivers/char/tty_ldisc.c linux-2.6.32.43/drivers/char/tty_ldisc.c
28335 --- linux-2.6.32.43/drivers/char/tty_ldisc.c 2011-07-13 17:23:04.000000000 -0400
28336 +++ linux-2.6.32.43/drivers/char/tty_ldisc.c 2011-07-13 17:23:18.000000000 -0400
28337 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
28338 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28339 struct tty_ldisc_ops *ldo = ld->ops;
28342 + atomic_dec(&ldo->refcount);
28343 module_put(ldo->owner);
28344 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28346 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
28347 spin_lock_irqsave(&tty_ldisc_lock, flags);
28348 tty_ldiscs[disc] = new_ldisc;
28349 new_ldisc->num = disc;
28350 - new_ldisc->refcount = 0;
28351 + atomic_set(&new_ldisc->refcount, 0);
28352 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28355 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
28358 spin_lock_irqsave(&tty_ldisc_lock, flags);
28359 - if (tty_ldiscs[disc]->refcount)
28360 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28363 tty_ldiscs[disc] = NULL;
28364 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
28366 ret = ERR_PTR(-EAGAIN);
28367 if (try_module_get(ldops->owner)) {
28368 - ldops->refcount++;
28369 + atomic_inc(&ldops->refcount);
28373 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
28374 unsigned long flags;
28376 spin_lock_irqsave(&tty_ldisc_lock, flags);
28377 - ldops->refcount--;
28378 + atomic_dec(&ldops->refcount);
28379 module_put(ldops->owner);
28380 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28382 diff -urNp linux-2.6.32.43/drivers/char/virtio_console.c linux-2.6.32.43/drivers/char/virtio_console.c
28383 --- linux-2.6.32.43/drivers/char/virtio_console.c 2011-03-27 14:31:47.000000000 -0400
28384 +++ linux-2.6.32.43/drivers/char/virtio_console.c 2011-08-05 20:33:55.000000000 -0400
28385 @@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
28386 * virtqueue, so we let the drivers do some boutique early-output thing. */
28387 int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
28389 - virtio_cons.put_chars = put_chars;
28390 + pax_open_kernel();
28391 + *(void **)&virtio_cons.put_chars = put_chars;
28392 + pax_close_kernel();
28393 return hvc_instantiate(0, 0, &virtio_cons);
28396 @@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
28399 /* Start using the new console output. */
28400 - virtio_cons.get_chars = get_chars;
28401 - virtio_cons.put_chars = put_chars;
28402 - virtio_cons.notifier_add = notifier_add_vio;
28403 - virtio_cons.notifier_del = notifier_del_vio;
28404 - virtio_cons.notifier_hangup = notifier_del_vio;
28405 + pax_open_kernel();
28406 + *(void **)&virtio_cons.get_chars = get_chars;
28407 + *(void **)&virtio_cons.put_chars = put_chars;
28408 + *(void **)&virtio_cons.notifier_add = notifier_add_vio;
28409 + *(void **)&virtio_cons.notifier_del = notifier_del_vio;
28410 + *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
28411 + pax_close_kernel();
28413 /* The first argument of hvc_alloc() is the virtual console number, so
28414 * we use zero. The second argument is the parameter for the
28415 diff -urNp linux-2.6.32.43/drivers/char/vt.c linux-2.6.32.43/drivers/char/vt.c
28416 --- linux-2.6.32.43/drivers/char/vt.c 2011-03-27 14:31:47.000000000 -0400
28417 +++ linux-2.6.32.43/drivers/char/vt.c 2011-04-17 15:56:46.000000000 -0400
28418 @@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
28420 static void notify_write(struct vc_data *vc, unsigned int unicode)
28422 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
28423 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
28424 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
28427 diff -urNp linux-2.6.32.43/drivers/char/vt_ioctl.c linux-2.6.32.43/drivers/char/vt_ioctl.c
28428 --- linux-2.6.32.43/drivers/char/vt_ioctl.c 2011-03-27 14:31:47.000000000 -0400
28429 +++ linux-2.6.32.43/drivers/char/vt_ioctl.c 2011-04-17 15:56:46.000000000 -0400
28430 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28431 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28434 - if (!capable(CAP_SYS_TTY_CONFIG))
28439 key_map = key_maps[s];
28440 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28441 val = (i ? K_HOLE : K_NOSUCHMAP);
28442 return put_user(val, &user_kbe->kb_value);
28444 + if (!capable(CAP_SYS_TTY_CONFIG))
28450 if (!i && v == K_NOSUCHMAP) {
28451 /* deallocate map */
28452 key_map = key_maps[s];
28453 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28457 - if (!capable(CAP_SYS_TTY_CONFIG))
28460 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28463 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28465 return ((p && *p) ? -EOVERFLOW : 0);
28467 + if (!capable(CAP_SYS_TTY_CONFIG))
28473 diff -urNp linux-2.6.32.43/drivers/cpufreq/cpufreq.c linux-2.6.32.43/drivers/cpufreq/cpufreq.c
28474 --- linux-2.6.32.43/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
28475 +++ linux-2.6.32.43/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
28476 @@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
28477 complete(&policy->kobj_unregister);
28480 -static struct sysfs_ops sysfs_ops = {
28481 +static const struct sysfs_ops sysfs_ops = {
28485 diff -urNp linux-2.6.32.43/drivers/cpuidle/sysfs.c linux-2.6.32.43/drivers/cpuidle/sysfs.c
28486 --- linux-2.6.32.43/drivers/cpuidle/sysfs.c 2011-03-27 14:31:47.000000000 -0400
28487 +++ linux-2.6.32.43/drivers/cpuidle/sysfs.c 2011-04-17 15:56:46.000000000 -0400
28488 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
28492 -static struct sysfs_ops cpuidle_sysfs_ops = {
28493 +static const struct sysfs_ops cpuidle_sysfs_ops = {
28494 .show = cpuidle_show,
28495 .store = cpuidle_store,
28497 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
28501 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
28502 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
28503 .show = cpuidle_state_show,
28506 @@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
28507 .release = cpuidle_state_sysfs_release,
28510 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
28511 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
28513 kobject_put(&device->kobjs[i]->kobj);
28514 wait_for_completion(&device->kobjs[i]->kobj_unregister);
28515 diff -urNp linux-2.6.32.43/drivers/crypto/hifn_795x.c linux-2.6.32.43/drivers/crypto/hifn_795x.c
28516 --- linux-2.6.32.43/drivers/crypto/hifn_795x.c 2011-03-27 14:31:47.000000000 -0400
28517 +++ linux-2.6.32.43/drivers/crypto/hifn_795x.c 2011-05-16 21:46:57.000000000 -0400
28518 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28519 0xCA, 0x34, 0x2B, 0x2E};
28520 struct scatterlist sg;
28522 + pax_track_stack();
28524 memset(src, 0, sizeof(src));
28525 memset(ctx.key, 0, sizeof(ctx.key));
28527 diff -urNp linux-2.6.32.43/drivers/crypto/padlock-aes.c linux-2.6.32.43/drivers/crypto/padlock-aes.c
28528 --- linux-2.6.32.43/drivers/crypto/padlock-aes.c 2011-03-27 14:31:47.000000000 -0400
28529 +++ linux-2.6.32.43/drivers/crypto/padlock-aes.c 2011-05-16 21:46:57.000000000 -0400
28530 @@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
28531 struct crypto_aes_ctx gen_aes;
28534 + pax_track_stack();
28537 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28539 diff -urNp linux-2.6.32.43/drivers/dma/ioat/dma.c linux-2.6.32.43/drivers/dma/ioat/dma.c
28540 --- linux-2.6.32.43/drivers/dma/ioat/dma.c 2011-03-27 14:31:47.000000000 -0400
28541 +++ linux-2.6.32.43/drivers/dma/ioat/dma.c 2011-04-17 15:56:46.000000000 -0400
28542 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
28543 return entry->show(&chan->common, page);
28546 -struct sysfs_ops ioat_sysfs_ops = {
28547 +const struct sysfs_ops ioat_sysfs_ops = {
28548 .show = ioat_attr_show,
28551 diff -urNp linux-2.6.32.43/drivers/dma/ioat/dma.h linux-2.6.32.43/drivers/dma/ioat/dma.h
28552 --- linux-2.6.32.43/drivers/dma/ioat/dma.h 2011-03-27 14:31:47.000000000 -0400
28553 +++ linux-2.6.32.43/drivers/dma/ioat/dma.h 2011-04-17 15:56:46.000000000 -0400
28554 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
28555 unsigned long *phys_complete);
28556 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
28557 void ioat_kobject_del(struct ioatdma_device *device);
28558 -extern struct sysfs_ops ioat_sysfs_ops;
28559 +extern const struct sysfs_ops ioat_sysfs_ops;
28560 extern struct ioat_sysfs_entry ioat_version_attr;
28561 extern struct ioat_sysfs_entry ioat_cap_attr;
28562 #endif /* IOATDMA_H */
28563 diff -urNp linux-2.6.32.43/drivers/edac/edac_device_sysfs.c linux-2.6.32.43/drivers/edac/edac_device_sysfs.c
28564 --- linux-2.6.32.43/drivers/edac/edac_device_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28565 +++ linux-2.6.32.43/drivers/edac/edac_device_sysfs.c 2011-04-17 15:56:46.000000000 -0400
28566 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
28569 /* edac_dev file operations for an 'ctl_info' */
28570 -static struct sysfs_ops device_ctl_info_ops = {
28571 +static const struct sysfs_ops device_ctl_info_ops = {
28572 .show = edac_dev_ctl_info_show,
28573 .store = edac_dev_ctl_info_store
28575 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
28578 /* edac_dev file operations for an 'instance' */
28579 -static struct sysfs_ops device_instance_ops = {
28580 +static const struct sysfs_ops device_instance_ops = {
28581 .show = edac_dev_instance_show,
28582 .store = edac_dev_instance_store
28584 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
28587 /* edac_dev file operations for a 'block' */
28588 -static struct sysfs_ops device_block_ops = {
28589 +static const struct sysfs_ops device_block_ops = {
28590 .show = edac_dev_block_show,
28591 .store = edac_dev_block_store
28593 diff -urNp linux-2.6.32.43/drivers/edac/edac_mc_sysfs.c linux-2.6.32.43/drivers/edac/edac_mc_sysfs.c
28594 --- linux-2.6.32.43/drivers/edac/edac_mc_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28595 +++ linux-2.6.32.43/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:56:46.000000000 -0400
28596 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
28600 -static struct sysfs_ops csrowfs_ops = {
28601 +static const struct sysfs_ops csrowfs_ops = {
28602 .show = csrowdev_show,
28603 .store = csrowdev_store
28605 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
28608 /* Intermediate show/store table */
28609 -static struct sysfs_ops mci_ops = {
28610 +static const struct sysfs_ops mci_ops = {
28611 .show = mcidev_show,
28612 .store = mcidev_store
28614 diff -urNp linux-2.6.32.43/drivers/edac/edac_pci_sysfs.c linux-2.6.32.43/drivers/edac/edac_pci_sysfs.c
28615 --- linux-2.6.32.43/drivers/edac/edac_pci_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28616 +++ linux-2.6.32.43/drivers/edac/edac_pci_sysfs.c 2011-05-04 17:56:20.000000000 -0400
28617 @@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
28618 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
28619 static int edac_pci_poll_msec = 1000; /* one second workq period */
28621 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
28622 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
28623 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
28624 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
28626 static struct kobject *edac_pci_top_main_kobj;
28627 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
28628 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
28632 -static struct sysfs_ops pci_instance_ops = {
28633 +static const struct sysfs_ops pci_instance_ops = {
28634 .show = edac_pci_instance_show,
28635 .store = edac_pci_instance_store
28637 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
28641 -static struct sysfs_ops edac_pci_sysfs_ops = {
28642 +static const struct sysfs_ops edac_pci_sysfs_ops = {
28643 .show = edac_pci_dev_show,
28644 .store = edac_pci_dev_store
28646 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
28647 edac_printk(KERN_CRIT, EDAC_PCI,
28648 "Signaled System Error on %s\n",
28650 - atomic_inc(&pci_nonparity_count);
28651 + atomic_inc_unchecked(&pci_nonparity_count);
28654 if (status & (PCI_STATUS_PARITY)) {
28655 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
28656 "Master Data Parity Error on %s\n",
28659 - atomic_inc(&pci_parity_count);
28660 + atomic_inc_unchecked(&pci_parity_count);
28663 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28664 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
28665 "Detected Parity Error on %s\n",
28668 - atomic_inc(&pci_parity_count);
28669 + atomic_inc_unchecked(&pci_parity_count);
28673 @@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
28674 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
28675 "Signaled System Error on %s\n",
28677 - atomic_inc(&pci_nonparity_count);
28678 + atomic_inc_unchecked(&pci_nonparity_count);
28681 if (status & (PCI_STATUS_PARITY)) {
28682 @@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
28683 "Master Data Parity Error on "
28684 "%s\n", pci_name(dev));
28686 - atomic_inc(&pci_parity_count);
28687 + atomic_inc_unchecked(&pci_parity_count);
28690 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28691 @@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
28692 "Detected Parity Error on %s\n",
28695 - atomic_inc(&pci_parity_count);
28696 + atomic_inc_unchecked(&pci_parity_count);
28700 @@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
28701 if (!check_pci_errors)
28704 - before_count = atomic_read(&pci_parity_count);
28705 + before_count = atomic_read_unchecked(&pci_parity_count);
28707 /* scan all PCI devices looking for a Parity Error on devices and
28709 @@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
28710 /* Only if operator has selected panic on PCI Error */
28711 if (edac_pci_get_panic_on_pe()) {
28712 /* If the count is different 'after' from 'before' */
28713 - if (before_count != atomic_read(&pci_parity_count))
28714 + if (before_count != atomic_read_unchecked(&pci_parity_count))
28715 panic("EDAC: PCI Parity Error");
28718 diff -urNp linux-2.6.32.43/drivers/firewire/core-card.c linux-2.6.32.43/drivers/firewire/core-card.c
28719 --- linux-2.6.32.43/drivers/firewire/core-card.c 2011-03-27 14:31:47.000000000 -0400
28720 +++ linux-2.6.32.43/drivers/firewire/core-card.c 2011-08-05 20:33:55.000000000 -0400
28721 @@ -569,8 +569,10 @@ void fw_core_remove_card(struct fw_card
28722 mutex_unlock(&card_mutex);
28724 /* Switch off most of the card driver interface. */
28725 - dummy_driver.free_iso_context = card->driver->free_iso_context;
28726 - dummy_driver.stop_iso = card->driver->stop_iso;
28727 + pax_open_kernel();
28728 + *(void **)&dummy_driver.free_iso_context = card->driver->free_iso_context;
28729 + *(void **)&dummy_driver.stop_iso = card->driver->stop_iso;
28730 + pax_close_kernel();
28731 card->driver = &dummy_driver;
28733 fw_destroy_nodes(card);
28734 diff -urNp linux-2.6.32.43/drivers/firewire/core-cdev.c linux-2.6.32.43/drivers/firewire/core-cdev.c
28735 --- linux-2.6.32.43/drivers/firewire/core-cdev.c 2011-03-27 14:31:47.000000000 -0400
28736 +++ linux-2.6.32.43/drivers/firewire/core-cdev.c 2011-04-17 15:56:46.000000000 -0400
28737 @@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
28740 if ((request->channels == 0 && request->bandwidth == 0) ||
28741 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
28742 - request->bandwidth < 0)
28743 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
28746 r = kmalloc(sizeof(*r), GFP_KERNEL);
28747 diff -urNp linux-2.6.32.43/drivers/firewire/core-transaction.c linux-2.6.32.43/drivers/firewire/core-transaction.c
28748 --- linux-2.6.32.43/drivers/firewire/core-transaction.c 2011-03-27 14:31:47.000000000 -0400
28749 +++ linux-2.6.32.43/drivers/firewire/core-transaction.c 2011-05-16 21:46:57.000000000 -0400
28751 #include <linux/string.h>
28752 #include <linux/timer.h>
28753 #include <linux/types.h>
28754 +#include <linux/sched.h>
28756 #include <asm/byteorder.h>
28758 @@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
28759 struct transaction_callback_data d;
28760 struct fw_transaction t;
28762 + pax_track_stack();
28764 init_completion(&d.done);
28765 d.payload = payload;
28766 fw_send_request(card, &t, tcode, destination_id, generation, speed,
28767 diff -urNp linux-2.6.32.43/drivers/firmware/dmi_scan.c linux-2.6.32.43/drivers/firmware/dmi_scan.c
28768 --- linux-2.6.32.43/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400
28769 +++ linux-2.6.32.43/drivers/firmware/dmi_scan.c 2011-04-17 15:56:46.000000000 -0400
28770 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
28775 - * no iounmap() for that ioremap(); it would be a no-op, but
28776 - * it's so early in setup that sucker gets confused into doing
28777 - * what it shouldn't if we actually call it.
28779 p = dmi_ioremap(0xF0000, 0x10000);
28782 diff -urNp linux-2.6.32.43/drivers/firmware/edd.c linux-2.6.32.43/drivers/firmware/edd.c
28783 --- linux-2.6.32.43/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400
28784 +++ linux-2.6.32.43/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400
28785 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
28789 -static struct sysfs_ops edd_attr_ops = {
28790 +static const struct sysfs_ops edd_attr_ops = {
28791 .show = edd_attr_show,
28794 diff -urNp linux-2.6.32.43/drivers/firmware/efivars.c linux-2.6.32.43/drivers/firmware/efivars.c
28795 --- linux-2.6.32.43/drivers/firmware/efivars.c 2011-03-27 14:31:47.000000000 -0400
28796 +++ linux-2.6.32.43/drivers/firmware/efivars.c 2011-04-17 15:56:46.000000000 -0400
28797 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
28801 -static struct sysfs_ops efivar_attr_ops = {
28802 +static const struct sysfs_ops efivar_attr_ops = {
28803 .show = efivar_attr_show,
28804 .store = efivar_attr_store,
28806 diff -urNp linux-2.6.32.43/drivers/firmware/iscsi_ibft.c linux-2.6.32.43/drivers/firmware/iscsi_ibft.c
28807 --- linux-2.6.32.43/drivers/firmware/iscsi_ibft.c 2011-03-27 14:31:47.000000000 -0400
28808 +++ linux-2.6.32.43/drivers/firmware/iscsi_ibft.c 2011-04-17 15:56:46.000000000 -0400
28809 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
28813 -static struct sysfs_ops ibft_attr_ops = {
28814 +static const struct sysfs_ops ibft_attr_ops = {
28815 .show = ibft_show_attribute,
28818 diff -urNp linux-2.6.32.43/drivers/firmware/memmap.c linux-2.6.32.43/drivers/firmware/memmap.c
28819 --- linux-2.6.32.43/drivers/firmware/memmap.c 2011-03-27 14:31:47.000000000 -0400
28820 +++ linux-2.6.32.43/drivers/firmware/memmap.c 2011-04-17 15:56:46.000000000 -0400
28821 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
28825 -static struct sysfs_ops memmap_attr_ops = {
28826 +static const struct sysfs_ops memmap_attr_ops = {
28827 .show = memmap_attr_show,
28830 diff -urNp linux-2.6.32.43/drivers/gpio/vr41xx_giu.c linux-2.6.32.43/drivers/gpio/vr41xx_giu.c
28831 --- linux-2.6.32.43/drivers/gpio/vr41xx_giu.c 2011-03-27 14:31:47.000000000 -0400
28832 +++ linux-2.6.32.43/drivers/gpio/vr41xx_giu.c 2011-05-04 17:56:28.000000000 -0400
28833 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
28834 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
28835 maskl, pendl, maskh, pendh);
28837 - atomic_inc(&irq_err_count);
28838 + atomic_inc_unchecked(&irq_err_count);
28842 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.43/drivers/gpu/drm/drm_crtc_helper.c
28843 --- linux-2.6.32.43/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400
28844 +++ linux-2.6.32.43/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400
28845 @@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
28846 struct drm_crtc *tmp;
28849 - WARN(!crtc, "checking null crtc?");
28854 @@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
28856 adjusted_mode = drm_mode_duplicate(dev, mode);
28858 + pax_track_stack();
28860 crtc->enabled = drm_helper_crtc_in_use(crtc);
28862 if (!crtc->enabled)
28863 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_drv.c linux-2.6.32.43/drivers/gpu/drm/drm_drv.c
28864 --- linux-2.6.32.43/drivers/gpu/drm/drm_drv.c 2011-03-27 14:31:47.000000000 -0400
28865 +++ linux-2.6.32.43/drivers/gpu/drm/drm_drv.c 2011-04-17 15:56:46.000000000 -0400
28866 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
28867 char *kdata = NULL;
28869 atomic_inc(&dev->ioctl_count);
28870 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
28871 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
28872 ++file_priv->ioctl_count;
28874 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
28875 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_fops.c linux-2.6.32.43/drivers/gpu/drm/drm_fops.c
28876 --- linux-2.6.32.43/drivers/gpu/drm/drm_fops.c 2011-03-27 14:31:47.000000000 -0400
28877 +++ linux-2.6.32.43/drivers/gpu/drm/drm_fops.c 2011-04-17 15:56:46.000000000 -0400
28878 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
28881 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
28882 - atomic_set(&dev->counts[i], 0);
28883 + atomic_set_unchecked(&dev->counts[i], 0);
28885 dev->sigdata.lock = NULL;
28887 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
28889 retcode = drm_open_helper(inode, filp, dev);
28891 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
28892 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
28893 spin_lock(&dev->count_lock);
28894 - if (!dev->open_count++) {
28895 + if (local_inc_return(&dev->open_count) == 1) {
28896 spin_unlock(&dev->count_lock);
28897 retcode = drm_setup(dev);
28899 @@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
28903 - DRM_DEBUG("open_count = %d\n", dev->open_count);
28904 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
28906 if (dev->driver->preclose)
28907 dev->driver->preclose(dev, file_priv);
28908 @@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
28909 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
28910 task_pid_nr(current),
28911 (long)old_encode_dev(file_priv->minor->device),
28912 - dev->open_count);
28913 + local_read(&dev->open_count));
28915 /* if the master has gone away we can't do anything with the lock */
28916 if (file_priv->minor->master)
28917 @@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
28918 * End inline drm_release
28921 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
28922 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
28923 spin_lock(&dev->count_lock);
28924 - if (!--dev->open_count) {
28925 + if (local_dec_and_test(&dev->open_count)) {
28926 if (atomic_read(&dev->ioctl_count)) {
28927 DRM_ERROR("Device busy: %d\n",
28928 atomic_read(&dev->ioctl_count));
28929 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_gem.c linux-2.6.32.43/drivers/gpu/drm/drm_gem.c
28930 --- linux-2.6.32.43/drivers/gpu/drm/drm_gem.c 2011-03-27 14:31:47.000000000 -0400
28931 +++ linux-2.6.32.43/drivers/gpu/drm/drm_gem.c 2011-04-17 15:56:46.000000000 -0400
28932 @@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
28933 spin_lock_init(&dev->object_name_lock);
28934 idr_init(&dev->object_name_idr);
28935 atomic_set(&dev->object_count, 0);
28936 - atomic_set(&dev->object_memory, 0);
28937 + atomic_set_unchecked(&dev->object_memory, 0);
28938 atomic_set(&dev->pin_count, 0);
28939 - atomic_set(&dev->pin_memory, 0);
28940 + atomic_set_unchecked(&dev->pin_memory, 0);
28941 atomic_set(&dev->gtt_count, 0);
28942 - atomic_set(&dev->gtt_memory, 0);
28943 + atomic_set_unchecked(&dev->gtt_memory, 0);
28945 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
28947 @@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
28950 atomic_inc(&dev->object_count);
28951 - atomic_add(obj->size, &dev->object_memory);
28952 + atomic_add_unchecked(obj->size, &dev->object_memory);
28956 @@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
28959 atomic_dec(&dev->object_count);
28960 - atomic_sub(obj->size, &dev->object_memory);
28961 + atomic_sub_unchecked(obj->size, &dev->object_memory);
28964 EXPORT_SYMBOL(drm_gem_object_free);
28965 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_info.c linux-2.6.32.43/drivers/gpu/drm/drm_info.c
28966 --- linux-2.6.32.43/drivers/gpu/drm/drm_info.c 2011-03-27 14:31:47.000000000 -0400
28967 +++ linux-2.6.32.43/drivers/gpu/drm/drm_info.c 2011-04-17 15:56:46.000000000 -0400
28968 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
28969 struct drm_local_map *map;
28970 struct drm_map_list *r_list;
28972 - /* Hardcoded from _DRM_FRAME_BUFFER,
28973 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
28974 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
28975 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
28976 + static const char * const types[] = {
28977 + [_DRM_FRAME_BUFFER] = "FB",
28978 + [_DRM_REGISTERS] = "REG",
28979 + [_DRM_SHM] = "SHM",
28980 + [_DRM_AGP] = "AGP",
28981 + [_DRM_SCATTER_GATHER] = "SG",
28982 + [_DRM_CONSISTENT] = "PCI",
28983 + [_DRM_GEM] = "GEM" };
28987 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
28991 - if (map->type < 0 || map->type > 5)
28992 + if (map->type >= ARRAY_SIZE(types))
28995 type = types[map->type];
28996 @@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
28997 struct drm_device *dev = node->minor->dev;
28999 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
29000 - seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
29001 + seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
29002 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
29003 - seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
29004 - seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
29005 + seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
29006 + seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
29007 seq_printf(m, "%d gtt total\n", dev->gtt_total);
29010 @@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
29011 mutex_lock(&dev->struct_mutex);
29012 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
29013 atomic_read(&dev->vma_count),
29014 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29017 high_memory, (u64)virt_to_phys(high_memory));
29020 list_for_each_entry(pt, &dev->vmalist, head) {
29022 @@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
29025 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
29026 - pt->pid, vma->vm_start, vma->vm_end,
29028 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29031 + vma->vm_start, vma->vm_end,
29033 vma->vm_flags & VM_READ ? 'r' : '-',
29034 vma->vm_flags & VM_WRITE ? 'w' : '-',
29035 vma->vm_flags & VM_EXEC ? 'x' : '-',
29036 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29037 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29038 vma->vm_flags & VM_IO ? 'i' : '-',
29039 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29045 #if defined(__i386__)
29046 pgprot = pgprot_val(vma->vm_page_prot);
29047 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.43/drivers/gpu/drm/drm_ioctl.c
29048 --- linux-2.6.32.43/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400
29049 +++ linux-2.6.32.43/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400
29050 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
29051 stats->data[i].value =
29052 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29054 - stats->data[i].value = atomic_read(&dev->counts[i]);
29055 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29056 stats->data[i].type = dev->types[i];
29059 diff -urNp linux-2.6.32.43/drivers/gpu/drm/drm_lock.c linux-2.6.32.43/drivers/gpu/drm/drm_lock.c
29060 --- linux-2.6.32.43/drivers/gpu/drm/drm_lock.c 2011-03-27 14:31:47.000000000 -0400
29061 +++ linux-2.6.32.43/drivers/gpu/drm/drm_lock.c 2011-04-17 15:56:46.000000000 -0400
29062 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
29063 if (drm_lock_take(&master->lock, lock->context)) {
29064 master->lock.file_priv = file_priv;
29065 master->lock.lock_time = jiffies;
29066 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29067 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29068 break; /* Got lock */
29071 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
29075 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29076 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29078 /* kernel_context_switch isn't used by any of the x86 drm
29079 * modules but is required by the Sparc driver.
29080 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.43/drivers/gpu/drm/i810/i810_dma.c
29081 --- linux-2.6.32.43/drivers/gpu/drm/i810/i810_dma.c 2011-03-27 14:31:47.000000000 -0400
29082 +++ linux-2.6.32.43/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:56:46.000000000 -0400
29083 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
29084 dma->buflist[vertex->idx],
29085 vertex->discard, vertex->used);
29087 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29088 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29089 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29090 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29091 sarea_priv->last_enqueue = dev_priv->counter - 1;
29092 sarea_priv->last_dispatch = (int)hw_status[5];
29094 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
29095 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29098 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29099 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29100 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29101 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29102 sarea_priv->last_enqueue = dev_priv->counter - 1;
29103 sarea_priv->last_dispatch = (int)hw_status[5];
29105 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.43/drivers/gpu/drm/i810/i810_drv.h
29106 --- linux-2.6.32.43/drivers/gpu/drm/i810/i810_drv.h 2011-03-27 14:31:47.000000000 -0400
29107 +++ linux-2.6.32.43/drivers/gpu/drm/i810/i810_drv.h 2011-05-04 17:56:28.000000000 -0400
29108 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29111 wait_queue_head_t irq_queue;
29112 - atomic_t irq_received;
29113 - atomic_t irq_emitted;
29114 + atomic_unchecked_t irq_received;
29115 + atomic_unchecked_t irq_emitted;
29118 } drm_i810_private_t;
29119 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.43/drivers/gpu/drm/i830/i830_drv.h
29120 --- linux-2.6.32.43/drivers/gpu/drm/i830/i830_drv.h 2011-03-27 14:31:47.000000000 -0400
29121 +++ linux-2.6.32.43/drivers/gpu/drm/i830/i830_drv.h 2011-05-04 17:56:28.000000000 -0400
29122 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
29125 wait_queue_head_t irq_queue;
29126 - atomic_t irq_received;
29127 - atomic_t irq_emitted;
29128 + atomic_unchecked_t irq_received;
29129 + atomic_unchecked_t irq_emitted;
29131 int use_mi_batchbuffer_start;
29133 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.43/drivers/gpu/drm/i830/i830_irq.c
29134 --- linux-2.6.32.43/drivers/gpu/drm/i830/i830_irq.c 2011-03-27 14:31:47.000000000 -0400
29135 +++ linux-2.6.32.43/drivers/gpu/drm/i830/i830_irq.c 2011-05-04 17:56:28.000000000 -0400
29136 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
29138 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
29140 - atomic_inc(&dev_priv->irq_received);
29141 + atomic_inc_unchecked(&dev_priv->irq_received);
29142 wake_up_interruptible(&dev_priv->irq_queue);
29144 return IRQ_HANDLED;
29145 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
29147 DRM_DEBUG("%s\n", __func__);
29149 - atomic_inc(&dev_priv->irq_emitted);
29150 + atomic_inc_unchecked(&dev_priv->irq_emitted);
29154 OUT_RING(GFX_OP_USER_INTERRUPT);
29157 - return atomic_read(&dev_priv->irq_emitted);
29158 + return atomic_read_unchecked(&dev_priv->irq_emitted);
29161 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
29162 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
29164 DRM_DEBUG("%s\n", __func__);
29166 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
29167 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
29170 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
29171 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
29174 __set_current_state(TASK_INTERRUPTIBLE);
29175 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
29176 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
29178 if ((signed)(end - jiffies) <= 0) {
29179 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
29180 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
29181 I830_WRITE16(I830REG_HWSTAM, 0xffff);
29182 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
29183 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
29184 - atomic_set(&dev_priv->irq_received, 0);
29185 - atomic_set(&dev_priv->irq_emitted, 0);
29186 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29187 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
29188 init_waitqueue_head(&dev_priv->irq_queue);
29191 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7017.c
29192 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-27 14:31:47.000000000 -0400
29193 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:56:46.000000000 -0400
29194 @@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
29198 -struct intel_dvo_dev_ops ch7017_ops = {
29199 +const struct intel_dvo_dev_ops ch7017_ops = {
29200 .init = ch7017_init,
29201 .detect = ch7017_detect,
29202 .mode_valid = ch7017_mode_valid,
29203 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7xxx.c
29204 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-27 14:31:47.000000000 -0400
29205 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:56:46.000000000 -0400
29206 @@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
29210 -struct intel_dvo_dev_ops ch7xxx_ops = {
29211 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29212 .init = ch7xxx_init,
29213 .detect = ch7xxx_detect,
29214 .mode_valid = ch7xxx_mode_valid,
29215 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo.h linux-2.6.32.43/drivers/gpu/drm/i915/dvo.h
29216 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo.h 2011-03-27 14:31:47.000000000 -0400
29217 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:56:46.000000000 -0400
29218 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
29220 * \return singly-linked list of modes or NULL if no modes found.
29222 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29223 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29226 * Clean up driver-specific bits of the output
29228 - void (*destroy) (struct intel_dvo_device *dvo);
29229 + void (* const destroy) (struct intel_dvo_device *dvo);
29232 * Debugging hook to dump device registers to log file
29234 - void (*dump_regs)(struct intel_dvo_device *dvo);
29235 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29238 -extern struct intel_dvo_dev_ops sil164_ops;
29239 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29240 -extern struct intel_dvo_dev_ops ivch_ops;
29241 -extern struct intel_dvo_dev_ops tfp410_ops;
29242 -extern struct intel_dvo_dev_ops ch7017_ops;
29243 +extern const struct intel_dvo_dev_ops sil164_ops;
29244 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29245 +extern const struct intel_dvo_dev_ops ivch_ops;
29246 +extern const struct intel_dvo_dev_ops tfp410_ops;
29247 +extern const struct intel_dvo_dev_ops ch7017_ops;
29249 #endif /* _INTEL_DVO_H */
29250 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ivch.c
29251 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-27 14:31:47.000000000 -0400
29252 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:56:46.000000000 -0400
29253 @@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
29257 -struct intel_dvo_dev_ops ivch_ops= {
29258 +const struct intel_dvo_dev_ops ivch_ops= {
29262 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.43/drivers/gpu/drm/i915/dvo_sil164.c
29263 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-27 14:31:47.000000000 -0400
29264 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:56:46.000000000 -0400
29265 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
29269 -struct intel_dvo_dev_ops sil164_ops = {
29270 +const struct intel_dvo_dev_ops sil164_ops = {
29271 .init = sil164_init,
29272 .detect = sil164_detect,
29273 .mode_valid = sil164_mode_valid,
29274 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.43/drivers/gpu/drm/i915/dvo_tfp410.c
29275 --- linux-2.6.32.43/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-27 14:31:47.000000000 -0400
29276 +++ linux-2.6.32.43/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:56:46.000000000 -0400
29277 @@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
29281 -struct intel_dvo_dev_ops tfp410_ops = {
29282 +const struct intel_dvo_dev_ops tfp410_ops = {
29283 .init = tfp410_init,
29284 .detect = tfp410_detect,
29285 .mode_valid = tfp410_mode_valid,
29286 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.43/drivers/gpu/drm/i915/i915_debugfs.c
29287 --- linux-2.6.32.43/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-27 14:31:47.000000000 -0400
29288 +++ linux-2.6.32.43/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-04 17:56:28.000000000 -0400
29289 @@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
29292 seq_printf(m, "Interrupts received: %d\n",
29293 - atomic_read(&dev_priv->irq_received));
29294 + atomic_read_unchecked(&dev_priv->irq_received));
29295 if (dev_priv->hw_status_page != NULL) {
29296 seq_printf(m, "Current sequence: %d\n",
29297 i915_get_gem_seqno(dev));
29298 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.c
29299 --- linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.c 2011-03-27 14:31:47.000000000 -0400
29300 +++ linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:56:46.000000000 -0400
29301 @@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
29302 return i915_resume(dev);
29305 -static struct vm_operations_struct i915_gem_vm_ops = {
29306 +static const struct vm_operations_struct i915_gem_vm_ops = {
29307 .fault = i915_gem_fault,
29308 .open = drm_gem_vm_open,
29309 .close = drm_gem_vm_close,
29310 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.h
29311 --- linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.h 2011-03-27 14:31:47.000000000 -0400
29312 +++ linux-2.6.32.43/drivers/gpu/drm/i915/i915_drv.h 2011-08-05 20:33:55.000000000 -0400
29313 @@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
29314 /* display clock increase/decrease */
29315 /* pll clock increase/decrease */
29316 /* clock gating init */
29320 typedef struct drm_i915_private {
29321 struct drm_device *dev;
29322 @@ -197,7 +197,7 @@ typedef struct drm_i915_private {
29325 wait_queue_head_t irq_queue;
29326 - atomic_t irq_received;
29327 + atomic_unchecked_t irq_received;
29328 /** Protects user_irq_refcount and irq_mask_reg */
29329 spinlock_t user_irq_lock;
29330 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
29331 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.43/drivers/gpu/drm/i915/i915_gem.c
29332 --- linux-2.6.32.43/drivers/gpu/drm/i915/i915_gem.c 2011-03-27 14:31:47.000000000 -0400
29333 +++ linux-2.6.32.43/drivers/gpu/drm/i915/i915_gem.c 2011-04-17 15:56:46.000000000 -0400
29334 @@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
29336 args->aper_size = dev->gtt_total;
29337 args->aper_available_size = (args->aper_size -
29338 - atomic_read(&dev->pin_memory));
29339 + atomic_read_unchecked(&dev->pin_memory));
29343 @@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
29347 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
29348 + drm_gem_object_unreference(obj);
29352 if (i915_gem_object_needs_bit17_swizzle(obj)) {
29353 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
29355 @@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
29359 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
29360 + drm_gem_object_unreference(obj);
29364 /* We can only do the GTT pwrite on untiled buffers, as otherwise
29365 * it would end up going through the fenced access, and we'll get
29366 * different detiling behavior between reading and writing.
29367 @@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
29369 if (obj_priv->gtt_space) {
29370 atomic_dec(&dev->gtt_count);
29371 - atomic_sub(obj->size, &dev->gtt_memory);
29372 + atomic_sub_unchecked(obj->size, &dev->gtt_memory);
29374 drm_mm_put_block(obj_priv->gtt_space);
29375 obj_priv->gtt_space = NULL;
29376 @@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
29379 atomic_inc(&dev->gtt_count);
29380 - atomic_add(obj->size, &dev->gtt_memory);
29381 + atomic_add_unchecked(obj->size, &dev->gtt_memory);
29383 /* Assert that the object is not currently in any GPU domain. As it
29384 * wasn't in the GTT, there shouldn't be any way it could have been in
29385 @@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
29386 "%d/%d gtt bytes\n",
29387 atomic_read(&dev->object_count),
29388 atomic_read(&dev->pin_count),
29389 - atomic_read(&dev->object_memory),
29390 - atomic_read(&dev->pin_memory),
29391 - atomic_read(&dev->gtt_memory),
29392 + atomic_read_unchecked(&dev->object_memory),
29393 + atomic_read_unchecked(&dev->pin_memory),
29394 + atomic_read_unchecked(&dev->gtt_memory),
29398 @@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
29400 if (obj_priv->pin_count == 1) {
29401 atomic_inc(&dev->pin_count);
29402 - atomic_add(obj->size, &dev->pin_memory);
29403 + atomic_add_unchecked(obj->size, &dev->pin_memory);
29404 if (!obj_priv->active &&
29405 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
29406 !list_empty(&obj_priv->list))
29407 @@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
29408 list_move_tail(&obj_priv->list,
29409 &dev_priv->mm.inactive_list);
29410 atomic_dec(&dev->pin_count);
29411 - atomic_sub(obj->size, &dev->pin_memory);
29412 + atomic_sub_unchecked(obj->size, &dev->pin_memory);
29414 i915_verify_inactive(dev, __FILE__, __LINE__);
29416 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.43/drivers/gpu/drm/i915/i915_irq.c
29417 --- linux-2.6.32.43/drivers/gpu/drm/i915/i915_irq.c 2011-03-27 14:31:47.000000000 -0400
29418 +++ linux-2.6.32.43/drivers/gpu/drm/i915/i915_irq.c 2011-05-04 17:56:28.000000000 -0400
29419 @@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29421 int ret = IRQ_NONE;
29423 - atomic_inc(&dev_priv->irq_received);
29424 + atomic_inc_unchecked(&dev_priv->irq_received);
29427 return igdng_irq_handler(dev);
29428 @@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
29430 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29432 - atomic_set(&dev_priv->irq_received, 0);
29433 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29435 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29436 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29437 diff -urNp linux-2.6.32.43/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.43/drivers/gpu/drm/i915/intel_sdvo.c
29438 --- linux-2.6.32.43/drivers/gpu/drm/i915/intel_sdvo.c 2011-03-27 14:31:47.000000000 -0400
29439 +++ linux-2.6.32.43/drivers/gpu/drm/i915/intel_sdvo.c 2011-08-05 20:33:55.000000000 -0400
29440 @@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
29441 sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
29443 /* Save the bit-banging i2c functionality for use by the DDC wrapper */
29444 - intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
29445 + pax_open_kernel();
29446 + *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
29447 + pax_close_kernel();
29449 /* Read the regs to test if we can talk to the device */
29450 for (i = 0; i < 0x40; i++) {
29451 diff -urNp linux-2.6.32.43/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.43/drivers/gpu/drm/mga/mga_drv.h
29452 --- linux-2.6.32.43/drivers/gpu/drm/mga/mga_drv.h 2011-03-27 14:31:47.000000000 -0400
29453 +++ linux-2.6.32.43/drivers/gpu/drm/mga/mga_drv.h 2011-05-04 17:56:28.000000000 -0400
29454 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29458 - atomic_t vbl_received; /**< Number of vblanks received. */
29459 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29460 wait_queue_head_t fence_queue;
29461 - atomic_t last_fence_retired;
29462 + atomic_unchecked_t last_fence_retired;
29463 u32 next_fence_to_post;
29465 unsigned int fb_cpp;
29466 diff -urNp linux-2.6.32.43/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.43/drivers/gpu/drm/mga/mga_irq.c
29467 --- linux-2.6.32.43/drivers/gpu/drm/mga/mga_irq.c 2011-03-27 14:31:47.000000000 -0400
29468 +++ linux-2.6.32.43/drivers/gpu/drm/mga/mga_irq.c 2011-05-04 17:56:28.000000000 -0400
29469 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29473 - return atomic_read(&dev_priv->vbl_received);
29474 + return atomic_read_unchecked(&dev_priv->vbl_received);
29478 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29479 /* VBLANK interrupt */
29480 if (status & MGA_VLINEPEN) {
29481 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29482 - atomic_inc(&dev_priv->vbl_received);
29483 + atomic_inc_unchecked(&dev_priv->vbl_received);
29484 drm_handle_vblank(dev, 0);
29487 @@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29488 MGA_WRITE(MGA_PRIMEND, prim_end);
29491 - atomic_inc(&dev_priv->last_fence_retired);
29492 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29493 DRM_WAKEUP(&dev_priv->fence_queue);
29496 @@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
29499 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29500 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29501 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29502 - *sequence) <= (1 << 23)));
29504 *sequence = cur_fence;
29505 diff -urNp linux-2.6.32.43/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.43/drivers/gpu/drm/r128/r128_cce.c
29506 --- linux-2.6.32.43/drivers/gpu/drm/r128/r128_cce.c 2011-03-27 14:31:47.000000000 -0400
29507 +++ linux-2.6.32.43/drivers/gpu/drm/r128/r128_cce.c 2011-05-04 17:56:28.000000000 -0400
29508 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29510 /* GH: Simple idle check.
29512 - atomic_set(&dev_priv->idle_count, 0);
29513 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29515 /* We don't support anything other than bus-mastering ring mode,
29516 * but the ring can be in either AGP or PCI space for the ring
29517 diff -urNp linux-2.6.32.43/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.43/drivers/gpu/drm/r128/r128_drv.h
29518 --- linux-2.6.32.43/drivers/gpu/drm/r128/r128_drv.h 2011-03-27 14:31:47.000000000 -0400
29519 +++ linux-2.6.32.43/drivers/gpu/drm/r128/r128_drv.h 2011-05-04 17:56:28.000000000 -0400
29520 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29522 unsigned long cce_buffers_offset;
29524 - atomic_t idle_count;
29525 + atomic_unchecked_t idle_count;
29530 u32 crtc_offset_cntl;
29532 - atomic_t vbl_received;
29533 + atomic_unchecked_t vbl_received;
29536 unsigned int front_offset;
29537 diff -urNp linux-2.6.32.43/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.43/drivers/gpu/drm/r128/r128_irq.c
29538 --- linux-2.6.32.43/drivers/gpu/drm/r128/r128_irq.c 2011-03-27 14:31:47.000000000 -0400
29539 +++ linux-2.6.32.43/drivers/gpu/drm/r128/r128_irq.c 2011-05-04 17:56:28.000000000 -0400
29540 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29544 - return atomic_read(&dev_priv->vbl_received);
29545 + return atomic_read_unchecked(&dev_priv->vbl_received);
29548 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29549 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29550 /* VBLANK interrupt */
29551 if (status & R128_CRTC_VBLANK_INT) {
29552 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29553 - atomic_inc(&dev_priv->vbl_received);
29554 + atomic_inc_unchecked(&dev_priv->vbl_received);
29555 drm_handle_vblank(dev, 0);
29556 return IRQ_HANDLED;
29558 diff -urNp linux-2.6.32.43/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.43/drivers/gpu/drm/r128/r128_state.c
29559 --- linux-2.6.32.43/drivers/gpu/drm/r128/r128_state.c 2011-03-27 14:31:47.000000000 -0400
29560 +++ linux-2.6.32.43/drivers/gpu/drm/r128/r128_state.c 2011-05-04 17:56:28.000000000 -0400
29561 @@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
29563 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
29565 - if (atomic_read(&dev_priv->idle_count) == 0) {
29566 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
29567 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29569 - atomic_set(&dev_priv->idle_count, 0);
29570 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29574 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/atom.c linux-2.6.32.43/drivers/gpu/drm/radeon/atom.c
29575 --- linux-2.6.32.43/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:12:01.000000000 -0400
29576 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:46:57.000000000 -0400
29577 @@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
29581 + pax_track_stack();
29586 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.43/drivers/gpu/drm/radeon/mkregtable.c
29587 --- linux-2.6.32.43/drivers/gpu/drm/radeon/mkregtable.c 2011-03-27 14:31:47.000000000 -0400
29588 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:56:46.000000000 -0400
29589 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29591 regmatch_t match[4];
29599 struct offset *offset;
29600 char last_reg_s[10];
29602 + unsigned long last_reg;
29605 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29606 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_atombios.c
29607 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_atombios.c 2011-03-27 14:31:47.000000000 -0400
29608 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:46:57.000000000 -0400
29609 @@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
29611 struct radeon_i2c_bus_rec ddc_bus;
29613 + pax_track_stack();
29615 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
29617 if (data_offset == 0)
29618 @@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
29622 -struct bios_connector {
29623 +static struct bios_connector {
29627 int connector_type;
29628 struct radeon_i2c_bus_rec ddc_bus;
29630 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
29632 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
29634 @@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
29636 union atom_supported_devices *supported_devices;
29638 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
29640 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
29642 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_display.c
29643 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_display.c 2011-03-27 14:31:47.000000000 -0400
29644 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_display.c 2011-04-17 15:56:46.000000000 -0400
29645 @@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
29647 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
29648 error = freq - current_freq;
29649 - error = error < 0 ? 0xffffffff : error;
29650 + error = (int32_t)error < 0 ? 0xffffffff : error;
29652 error = abs(current_freq - freq);
29653 vco_diff = abs(vco - best_vco);
29654 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_drv.h
29655 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-27 14:31:47.000000000 -0400
29656 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-04 17:56:28.000000000 -0400
29657 @@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
29660 wait_queue_head_t swi_queue;
29661 - atomic_t swi_emitted;
29662 + atomic_unchecked_t swi_emitted;
29664 uint32_t irq_enable_reg;
29665 uint32_t r500_disp_irq_reg;
29666 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_fence.c
29667 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_fence.c 2011-03-27 14:31:47.000000000 -0400
29668 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-04 17:56:28.000000000 -0400
29669 @@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
29670 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29673 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29674 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29675 if (!rdev->cp.ready) {
29676 /* FIXME: cp is not running assume everythings is done right
29678 @@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
29681 WREG32(rdev->fence_drv.scratch_reg, 0);
29682 - atomic_set(&rdev->fence_drv.seq, 0);
29683 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29684 INIT_LIST_HEAD(&rdev->fence_drv.created);
29685 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29686 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29687 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.43/drivers/gpu/drm/radeon/radeon.h
29688 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon.h 2011-03-27 14:31:47.000000000 -0400
29689 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon.h 2011-08-05 20:33:55.000000000 -0400
29690 @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
29692 struct radeon_fence_driver {
29693 uint32_t scratch_reg;
29695 + atomic_unchecked_t seq;
29697 unsigned long count_timeout;
29698 wait_queue_head_t queue;
29699 @@ -640,7 +640,7 @@ struct radeon_asic {
29700 uint32_t offset, uint32_t obj_size);
29701 int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
29702 void (*bandwidth_update)(struct radeon_device *rdev);
29708 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ioc32.c
29709 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-27 14:31:47.000000000 -0400
29710 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-23 13:57:24.000000000 -0400
29711 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
29712 request = compat_alloc_user_space(sizeof(*request));
29713 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
29714 || __put_user(req32.param, &request->param)
29715 - || __put_user((void __user *)(unsigned long)req32.value,
29716 + || __put_user((unsigned long)req32.value,
29720 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_irq.c
29721 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-27 14:31:47.000000000 -0400
29722 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-04 17:56:28.000000000 -0400
29723 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
29727 - atomic_inc(&dev_priv->swi_emitted);
29728 - ret = atomic_read(&dev_priv->swi_emitted);
29729 + atomic_inc_unchecked(&dev_priv->swi_emitted);
29730 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
29733 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
29734 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
29735 drm_radeon_private_t *dev_priv =
29736 (drm_radeon_private_t *) dev->dev_private;
29738 - atomic_set(&dev_priv->swi_emitted, 0);
29739 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
29740 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
29742 dev->max_vblank_count = 0x001fffff;
29743 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_state.c
29744 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_state.c 2011-03-27 14:31:47.000000000 -0400
29745 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:56:46.000000000 -0400
29746 @@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
29748 drm_radeon_private_t *dev_priv = dev->dev_private;
29749 drm_radeon_getparam_t *param = data;
29753 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
29755 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ttm.c
29756 --- linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-27 14:31:47.000000000 -0400
29757 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:56:46.000000000 -0400
29758 @@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
29759 DRM_INFO("radeon: ttm finalized\n");
29762 -static struct vm_operations_struct radeon_ttm_vm_ops;
29763 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
29765 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
29767 - struct ttm_buffer_object *bo;
29770 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
29771 - if (bo == NULL) {
29772 - return VM_FAULT_NOPAGE;
29774 - r = ttm_vm_ops->fault(vma, vmf);
29778 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
29780 struct drm_file *file_priv;
29781 struct radeon_device *rdev;
29784 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
29785 return drm_mmap(filp, vma);
29786 @@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
29788 file_priv = (struct drm_file *)filp->private_data;
29789 rdev = file_priv->minor->dev->dev_private;
29790 - if (rdev == NULL) {
29794 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
29795 - if (unlikely(r != 0)) {
29798 - if (unlikely(ttm_vm_ops == NULL)) {
29799 - ttm_vm_ops = vma->vm_ops;
29800 - radeon_ttm_vm_ops = *ttm_vm_ops;
29801 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
29803 - vma->vm_ops = &radeon_ttm_vm_ops;
29805 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
29809 diff -urNp linux-2.6.32.43/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.43/drivers/gpu/drm/radeon/rs690.c
29810 --- linux-2.6.32.43/drivers/gpu/drm/radeon/rs690.c 2011-03-27 14:31:47.000000000 -0400
29811 +++ linux-2.6.32.43/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:56:46.000000000 -0400
29812 @@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
29813 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
29814 rdev->pm.sideport_bandwidth.full)
29815 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
29816 - read_delay_latency.full = rfixed_const(370 * 800 * 1000);
29817 + read_delay_latency.full = rfixed_const(800 * 1000);
29818 read_delay_latency.full = rfixed_div(read_delay_latency,
29819 rdev->pm.igp_sideport_mclk);
29820 + a.full = rfixed_const(370);
29821 + read_delay_latency.full = rfixed_mul(read_delay_latency, a);
29823 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
29824 rdev->pm.k8_bandwidth.full)
29825 diff -urNp linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo.c
29826 --- linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-27 14:31:47.000000000 -0400
29827 +++ linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo.c 2011-04-23 12:56:11.000000000 -0400
29828 @@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
29832 -static struct sysfs_ops ttm_bo_global_ops = {
29833 +static const struct sysfs_ops ttm_bo_global_ops = {
29834 .show = &ttm_bo_global_show
29837 diff -urNp linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo_vm.c
29838 --- linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-27 14:31:47.000000000 -0400
29839 +++ linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:56:46.000000000 -0400
29840 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
29842 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
29843 vma->vm_private_data;
29844 - struct ttm_bo_device *bdev = bo->bdev;
29845 + struct ttm_bo_device *bdev;
29846 unsigned long bus_base;
29847 unsigned long bus_offset;
29848 unsigned long bus_size;
29849 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
29850 unsigned long address = (unsigned long)vmf->virtual_address;
29851 int retval = VM_FAULT_NOPAGE;
29854 + return VM_FAULT_NOPAGE;
29858 * Work around locking order reversal in fault / nopfn
29859 * between mmap_sem and bo_reserve: Perform a trylock operation
29860 diff -urNp linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_global.c
29861 --- linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_global.c 2011-03-27 14:31:47.000000000 -0400
29862 +++ linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_global.c 2011-04-17 15:56:46.000000000 -0400
29864 struct ttm_global_item {
29865 struct mutex mutex;
29868 + atomic_t refcount;
29871 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
29872 @@ -49,7 +49,7 @@ void ttm_global_init(void)
29873 struct ttm_global_item *item = &glob[i];
29874 mutex_init(&item->mutex);
29875 item->object = NULL;
29876 - item->refcount = 0;
29877 + atomic_set(&item->refcount, 0);
29881 @@ -59,7 +59,7 @@ void ttm_global_release(void)
29882 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
29883 struct ttm_global_item *item = &glob[i];
29884 BUG_ON(item->object != NULL);
29885 - BUG_ON(item->refcount != 0);
29886 + BUG_ON(atomic_read(&item->refcount) != 0);
29890 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
29893 mutex_lock(&item->mutex);
29894 - if (item->refcount == 0) {
29895 + if (atomic_read(&item->refcount) == 0) {
29896 item->object = kzalloc(ref->size, GFP_KERNEL);
29897 if (unlikely(item->object == NULL)) {
29899 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
29903 - ++item->refcount;
29904 + atomic_inc(&item->refcount);
29905 ref->object = item->object;
29906 object = item->object;
29907 mutex_unlock(&item->mutex);
29908 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
29909 struct ttm_global_item *item = &glob[ref->global_type];
29911 mutex_lock(&item->mutex);
29912 - BUG_ON(item->refcount == 0);
29913 + BUG_ON(atomic_read(&item->refcount) == 0);
29914 BUG_ON(ref->object != item->object);
29915 - if (--item->refcount == 0) {
29916 + if (atomic_dec_and_test(&item->refcount)) {
29918 item->object = NULL;
29920 diff -urNp linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_memory.c
29921 --- linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_memory.c 2011-03-27 14:31:47.000000000 -0400
29922 +++ linux-2.6.32.43/drivers/gpu/drm/ttm/ttm_memory.c 2011-04-17 15:56:46.000000000 -0400
29923 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
29927 -static struct sysfs_ops ttm_mem_zone_ops = {
29928 +static const struct sysfs_ops ttm_mem_zone_ops = {
29929 .show = &ttm_mem_zone_show,
29930 .store = &ttm_mem_zone_store
29932 diff -urNp linux-2.6.32.43/drivers/gpu/drm/via/via_drv.h linux-2.6.32.43/drivers/gpu/drm/via/via_drv.h
29933 --- linux-2.6.32.43/drivers/gpu/drm/via/via_drv.h 2011-03-27 14:31:47.000000000 -0400
29934 +++ linux-2.6.32.43/drivers/gpu/drm/via/via_drv.h 2011-05-04 17:56:28.000000000 -0400
29935 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
29936 typedef uint32_t maskarray_t[5];
29938 typedef struct drm_via_irq {
29939 - atomic_t irq_received;
29940 + atomic_unchecked_t irq_received;
29941 uint32_t pending_mask;
29942 uint32_t enable_mask;
29943 wait_queue_head_t irq_queue;
29944 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
29945 struct timeval last_vblank;
29946 int last_vblank_valid;
29947 unsigned usec_per_vblank;
29948 - atomic_t vbl_received;
29949 + atomic_unchecked_t vbl_received;
29950 drm_via_state_t hc_state;
29951 char pci_buf[VIA_PCI_BUF_SIZE];
29952 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
29953 diff -urNp linux-2.6.32.43/drivers/gpu/drm/via/via_irq.c linux-2.6.32.43/drivers/gpu/drm/via/via_irq.c
29954 --- linux-2.6.32.43/drivers/gpu/drm/via/via_irq.c 2011-03-27 14:31:47.000000000 -0400
29955 +++ linux-2.6.32.43/drivers/gpu/drm/via/via_irq.c 2011-05-04 17:56:28.000000000 -0400
29956 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
29960 - return atomic_read(&dev_priv->vbl_received);
29961 + return atomic_read_unchecked(&dev_priv->vbl_received);
29964 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
29965 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
29967 status = VIA_READ(VIA_REG_INTERRUPT);
29968 if (status & VIA_IRQ_VBLANK_PENDING) {
29969 - atomic_inc(&dev_priv->vbl_received);
29970 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
29971 + atomic_inc_unchecked(&dev_priv->vbl_received);
29972 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
29973 do_gettimeofday(&cur_vblank);
29974 if (dev_priv->last_vblank_valid) {
29975 dev_priv->usec_per_vblank =
29976 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
29977 dev_priv->last_vblank = cur_vblank;
29978 dev_priv->last_vblank_valid = 1;
29980 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
29981 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
29982 DRM_DEBUG("US per vblank is: %u\n",
29983 dev_priv->usec_per_vblank);
29985 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
29987 for (i = 0; i < dev_priv->num_irqs; ++i) {
29988 if (status & cur_irq->pending_mask) {
29989 - atomic_inc(&cur_irq->irq_received);
29990 + atomic_inc_unchecked(&cur_irq->irq_received);
29991 DRM_WAKEUP(&cur_irq->irq_queue);
29993 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
29994 @@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
29995 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
29996 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
29998 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
29999 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30001 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30002 (((cur_irq_sequence =
30003 - atomic_read(&cur_irq->irq_received)) -
30004 + atomic_read_unchecked(&cur_irq->irq_received)) -
30005 *sequence) <= (1 << 23)));
30007 *sequence = cur_irq_sequence;
30008 @@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
30011 for (i = 0; i < dev_priv->num_irqs; ++i) {
30012 - atomic_set(&cur_irq->irq_received, 0);
30013 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30014 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30015 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30016 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30017 @@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
30018 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30019 case VIA_IRQ_RELATIVE:
30020 irqwait->request.sequence +=
30021 - atomic_read(&cur_irq->irq_received);
30022 + atomic_read_unchecked(&cur_irq->irq_received);
30023 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30024 case VIA_IRQ_ABSOLUTE:
30026 diff -urNp linux-2.6.32.43/drivers/hid/hid-core.c linux-2.6.32.43/drivers/hid/hid-core.c
30027 --- linux-2.6.32.43/drivers/hid/hid-core.c 2011-05-10 22:12:01.000000000 -0400
30028 +++ linux-2.6.32.43/drivers/hid/hid-core.c 2011-05-10 22:12:32.000000000 -0400
30029 @@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
30031 int hid_add_device(struct hid_device *hdev)
30033 - static atomic_t id = ATOMIC_INIT(0);
30034 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30037 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30038 @@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
30039 /* XXX hack, any other cleaner solution after the driver core
30040 * is converted to allow more than 20 bytes as the device name? */
30041 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30042 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30043 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30045 ret = device_add(&hdev->dev);
30047 diff -urNp linux-2.6.32.43/drivers/hid/usbhid/hiddev.c linux-2.6.32.43/drivers/hid/usbhid/hiddev.c
30048 --- linux-2.6.32.43/drivers/hid/usbhid/hiddev.c 2011-03-27 14:31:47.000000000 -0400
30049 +++ linux-2.6.32.43/drivers/hid/usbhid/hiddev.c 2011-04-17 15:56:46.000000000 -0400
30050 @@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
30051 return put_user(HID_VERSION, (int __user *)arg);
30053 case HIDIOCAPPLICATION:
30054 - if (arg < 0 || arg >= hid->maxapplication)
30055 + if (arg >= hid->maxapplication)
30058 for (i = 0; i < hid->maxcollection; i++)
30059 diff -urNp linux-2.6.32.43/drivers/hwmon/lis3lv02d.c linux-2.6.32.43/drivers/hwmon/lis3lv02d.c
30060 --- linux-2.6.32.43/drivers/hwmon/lis3lv02d.c 2011-03-27 14:31:47.000000000 -0400
30061 +++ linux-2.6.32.43/drivers/hwmon/lis3lv02d.c 2011-05-04 17:56:28.000000000 -0400
30062 @@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
30063 * the lid is closed. This leads to interrupts as soon as a little move
30066 - atomic_inc(&lis3_dev.count);
30067 + atomic_inc_unchecked(&lis3_dev.count);
30069 wake_up_interruptible(&lis3_dev.misc_wait);
30070 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30071 @@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
30072 if (test_and_set_bit(0, &lis3_dev.misc_opened))
30073 return -EBUSY; /* already open */
30075 - atomic_set(&lis3_dev.count, 0);
30076 + atomic_set_unchecked(&lis3_dev.count, 0);
30079 * The sensor can generate interrupts for free-fall and direction
30080 @@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
30081 add_wait_queue(&lis3_dev.misc_wait, &wait);
30083 set_current_state(TASK_INTERRUPTIBLE);
30084 - data = atomic_xchg(&lis3_dev.count, 0);
30085 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30089 @@ -244,7 +244,7 @@ out:
30090 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30092 poll_wait(file, &lis3_dev.misc_wait, wait);
30093 - if (atomic_read(&lis3_dev.count))
30094 + if (atomic_read_unchecked(&lis3_dev.count))
30095 return POLLIN | POLLRDNORM;
30098 diff -urNp linux-2.6.32.43/drivers/hwmon/lis3lv02d.h linux-2.6.32.43/drivers/hwmon/lis3lv02d.h
30099 --- linux-2.6.32.43/drivers/hwmon/lis3lv02d.h 2011-03-27 14:31:47.000000000 -0400
30100 +++ linux-2.6.32.43/drivers/hwmon/lis3lv02d.h 2011-05-04 17:56:28.000000000 -0400
30101 @@ -201,7 +201,7 @@ struct lis3lv02d {
30103 struct input_polled_dev *idev; /* input device */
30104 struct platform_device *pdev; /* platform device */
30105 - atomic_t count; /* interrupt count after last read */
30106 + atomic_unchecked_t count; /* interrupt count after last read */
30107 int xcalib; /* calibrated null value for x */
30108 int ycalib; /* calibrated null value for y */
30109 int zcalib; /* calibrated null value for z */
30110 diff -urNp linux-2.6.32.43/drivers/hwmon/sht15.c linux-2.6.32.43/drivers/hwmon/sht15.c
30111 --- linux-2.6.32.43/drivers/hwmon/sht15.c 2011-03-27 14:31:47.000000000 -0400
30112 +++ linux-2.6.32.43/drivers/hwmon/sht15.c 2011-05-04 17:56:28.000000000 -0400
30113 @@ -112,7 +112,7 @@ struct sht15_data {
30115 int supply_uV_valid;
30116 struct work_struct update_supply_work;
30117 - atomic_t interrupt_handled;
30118 + atomic_unchecked_t interrupt_handled;
30122 @@ -245,13 +245,13 @@ static inline int sht15_update_single_va
30125 gpio_direction_input(data->pdata->gpio_data);
30126 - atomic_set(&data->interrupt_handled, 0);
30127 + atomic_set_unchecked(&data->interrupt_handled, 0);
30129 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30130 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30131 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30132 /* Only relevant if the interrupt hasn't occured. */
30133 - if (!atomic_read(&data->interrupt_handled))
30134 + if (!atomic_read_unchecked(&data->interrupt_handled))
30135 schedule_work(&data->read_work);
30137 ret = wait_event_timeout(data->wait_queue,
30138 @@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
30139 struct sht15_data *data = d;
30140 /* First disable the interrupt */
30141 disable_irq_nosync(irq);
30142 - atomic_inc(&data->interrupt_handled);
30143 + atomic_inc_unchecked(&data->interrupt_handled);
30144 /* Then schedule a reading work struct */
30145 if (data->flag != SHT15_READING_NOTHING)
30146 schedule_work(&data->read_work);
30147 @@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
30148 here as could have gone low in meantime so verify
30151 - atomic_set(&data->interrupt_handled, 0);
30152 + atomic_set_unchecked(&data->interrupt_handled, 0);
30153 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30154 /* If still not occured or another handler has been scheduled */
30155 if (gpio_get_value(data->pdata->gpio_data)
30156 - || atomic_read(&data->interrupt_handled))
30157 + || atomic_read_unchecked(&data->interrupt_handled))
30160 /* Read the data back from the device */
30161 diff -urNp linux-2.6.32.43/drivers/hwmon/w83791d.c linux-2.6.32.43/drivers/hwmon/w83791d.c
30162 --- linux-2.6.32.43/drivers/hwmon/w83791d.c 2011-03-27 14:31:47.000000000 -0400
30163 +++ linux-2.6.32.43/drivers/hwmon/w83791d.c 2011-04-17 15:56:46.000000000 -0400
30164 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
30165 struct i2c_board_info *info);
30166 static int w83791d_remove(struct i2c_client *client);
30168 -static int w83791d_read(struct i2c_client *client, u8 register);
30169 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30170 +static int w83791d_read(struct i2c_client *client, u8 reg);
30171 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30172 static struct w83791d_data *w83791d_update_device(struct device *dev);
30175 diff -urNp linux-2.6.32.43/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.43/drivers/i2c/busses/i2c-amd756-s4882.c
30176 --- linux-2.6.32.43/drivers/i2c/busses/i2c-amd756-s4882.c 2011-03-27 14:31:47.000000000 -0400
30177 +++ linux-2.6.32.43/drivers/i2c/busses/i2c-amd756-s4882.c 2011-08-05 20:33:55.000000000 -0400
30178 @@ -189,23 +189,23 @@ static int __init amd756_s4882_init(void
30181 /* Fill in the new structures */
30182 - s4882_algo[0] = *(amd756_smbus.algo);
30183 - s4882_algo[0].smbus_xfer = amd756_access_virt0;
30184 + memcpy((void *)&s4882_algo[0], amd756_smbus.algo, sizeof(s4882_algo[0]));
30185 + *(void **)&s4882_algo[0].smbus_xfer = amd756_access_virt0;
30186 s4882_adapter[0] = amd756_smbus;
30187 s4882_adapter[0].algo = s4882_algo;
30188 - s4882_adapter[0].dev.parent = amd756_smbus.dev.parent;
30189 + *(void **)&s4882_adapter[0].dev.parent = amd756_smbus.dev.parent;
30190 for (i = 1; i < 5; i++) {
30191 - s4882_algo[i] = *(amd756_smbus.algo);
30192 + memcpy((void *)&s4882_algo[i], amd756_smbus.algo, sizeof(s4882_algo[i]));
30193 s4882_adapter[i] = amd756_smbus;
30194 snprintf(s4882_adapter[i].name, sizeof(s4882_adapter[i].name),
30195 "SMBus 8111 adapter (CPU%d)", i-1);
30196 s4882_adapter[i].algo = s4882_algo+i;
30197 s4882_adapter[i].dev.parent = amd756_smbus.dev.parent;
30199 - s4882_algo[1].smbus_xfer = amd756_access_virt1;
30200 - s4882_algo[2].smbus_xfer = amd756_access_virt2;
30201 - s4882_algo[3].smbus_xfer = amd756_access_virt3;
30202 - s4882_algo[4].smbus_xfer = amd756_access_virt4;
30203 + *(void **)&s4882_algo[1].smbus_xfer = amd756_access_virt1;
30204 + *(void **)&s4882_algo[2].smbus_xfer = amd756_access_virt2;
30205 + *(void **)&s4882_algo[3].smbus_xfer = amd756_access_virt3;
30206 + *(void **)&s4882_algo[4].smbus_xfer = amd756_access_virt4;
30208 /* Register virtual adapters */
30209 for (i = 0; i < 5; i++) {
30210 diff -urNp linux-2.6.32.43/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.43/drivers/i2c/busses/i2c-nforce2-s4985.c
30211 --- linux-2.6.32.43/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-03-27 14:31:47.000000000 -0400
30212 +++ linux-2.6.32.43/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-08-05 20:33:55.000000000 -0400
30213 @@ -184,23 +184,23 @@ static int __init nforce2_s4985_init(voi
30216 /* Fill in the new structures */
30217 - s4985_algo[0] = *(nforce2_smbus->algo);
30218 - s4985_algo[0].smbus_xfer = nforce2_access_virt0;
30219 + memcpy((void *)&s4985_algo[0], nforce2_smbus->algo, sizeof(s4985_algo[0]));
30220 + *(void **)&s4985_algo[0].smbus_xfer = nforce2_access_virt0;
30221 s4985_adapter[0] = *nforce2_smbus;
30222 s4985_adapter[0].algo = s4985_algo;
30223 s4985_adapter[0].dev.parent = nforce2_smbus->dev.parent;
30224 for (i = 1; i < 5; i++) {
30225 - s4985_algo[i] = *(nforce2_smbus->algo);
30226 + memcpy((void *)&s4985_algo[i], nforce2_smbus->algo, sizeof(s4985_algo[i]));
30227 s4985_adapter[i] = *nforce2_smbus;
30228 snprintf(s4985_adapter[i].name, sizeof(s4985_adapter[i].name),
30229 "SMBus nForce2 adapter (CPU%d)", i - 1);
30230 s4985_adapter[i].algo = s4985_algo + i;
30231 s4985_adapter[i].dev.parent = nforce2_smbus->dev.parent;
30233 - s4985_algo[1].smbus_xfer = nforce2_access_virt1;
30234 - s4985_algo[2].smbus_xfer = nforce2_access_virt2;
30235 - s4985_algo[3].smbus_xfer = nforce2_access_virt3;
30236 - s4985_algo[4].smbus_xfer = nforce2_access_virt4;
30237 + *(void **)&s4985_algo[1].smbus_xfer = nforce2_access_virt1;
30238 + *(void **)&s4985_algo[2].smbus_xfer = nforce2_access_virt2;
30239 + *(void **)&s4985_algo[3].smbus_xfer = nforce2_access_virt3;
30240 + *(void **)&s4985_algo[4].smbus_xfer = nforce2_access_virt4;
30242 /* Register virtual adapters */
30243 for (i = 0; i < 5; i++) {
30244 diff -urNp linux-2.6.32.43/drivers/ide/ide-cd.c linux-2.6.32.43/drivers/ide/ide-cd.c
30245 --- linux-2.6.32.43/drivers/ide/ide-cd.c 2011-03-27 14:31:47.000000000 -0400
30246 +++ linux-2.6.32.43/drivers/ide/ide-cd.c 2011-04-17 15:56:46.000000000 -0400
30247 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
30248 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30249 if ((unsigned long)buf & alignment
30250 || blk_rq_bytes(rq) & q->dma_pad_mask
30251 - || object_is_on_stack(buf))
30252 + || object_starts_on_stack(buf))
30256 diff -urNp linux-2.6.32.43/drivers/ide/ide-floppy.c linux-2.6.32.43/drivers/ide/ide-floppy.c
30257 --- linux-2.6.32.43/drivers/ide/ide-floppy.c 2011-03-27 14:31:47.000000000 -0400
30258 +++ linux-2.6.32.43/drivers/ide/ide-floppy.c 2011-05-16 21:46:57.000000000 -0400
30259 @@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
30260 u8 pc_buf[256], header_len, desc_cnt;
30261 int i, rc = 1, blocks, length;
30263 + pax_track_stack();
30265 ide_debug_log(IDE_DBG_FUNC, "enter");
30267 drive->bios_cyl = 0;
30268 diff -urNp linux-2.6.32.43/drivers/ide/setup-pci.c linux-2.6.32.43/drivers/ide/setup-pci.c
30269 --- linux-2.6.32.43/drivers/ide/setup-pci.c 2011-03-27 14:31:47.000000000 -0400
30270 +++ linux-2.6.32.43/drivers/ide/setup-pci.c 2011-05-16 21:46:57.000000000 -0400
30271 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30272 int ret, i, n_ports = dev2 ? 4 : 2;
30273 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30275 + pax_track_stack();
30277 for (i = 0; i < n_ports / 2; i++) {
30278 ret = ide_setup_pci_controller(pdev[i], d, !i);
30280 diff -urNp linux-2.6.32.43/drivers/ieee1394/dv1394.c linux-2.6.32.43/drivers/ieee1394/dv1394.c
30281 --- linux-2.6.32.43/drivers/ieee1394/dv1394.c 2011-03-27 14:31:47.000000000 -0400
30282 +++ linux-2.6.32.43/drivers/ieee1394/dv1394.c 2011-04-23 12:56:11.000000000 -0400
30283 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
30284 based upon DIF section and sequence
30287 -static void inline
30288 +static inline void
30289 frame_put_packet (struct frame *f, struct packet *p)
30291 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
30292 diff -urNp linux-2.6.32.43/drivers/ieee1394/hosts.c linux-2.6.32.43/drivers/ieee1394/hosts.c
30293 --- linux-2.6.32.43/drivers/ieee1394/hosts.c 2011-03-27 14:31:47.000000000 -0400
30294 +++ linux-2.6.32.43/drivers/ieee1394/hosts.c 2011-04-17 15:56:46.000000000 -0400
30295 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
30298 static struct hpsb_host_driver dummy_driver = {
30300 .transmit_packet = dummy_transmit_packet,
30301 .devctl = dummy_devctl,
30302 .isoctl = dummy_isoctl
30303 diff -urNp linux-2.6.32.43/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.43/drivers/ieee1394/init_ohci1394_dma.c
30304 --- linux-2.6.32.43/drivers/ieee1394/init_ohci1394_dma.c 2011-03-27 14:31:47.000000000 -0400
30305 +++ linux-2.6.32.43/drivers/ieee1394/init_ohci1394_dma.c 2011-04-17 15:56:46.000000000 -0400
30306 @@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
30307 for (func = 0; func < 8; func++) {
30308 u32 class = read_pci_config(num,slot,func,
30309 PCI_CLASS_REVISION);
30310 - if ((class == 0xffffffff))
30311 + if (class == 0xffffffff)
30312 continue; /* No device at this func */
30314 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
30315 diff -urNp linux-2.6.32.43/drivers/ieee1394/ohci1394.c linux-2.6.32.43/drivers/ieee1394/ohci1394.c
30316 --- linux-2.6.32.43/drivers/ieee1394/ohci1394.c 2011-03-27 14:31:47.000000000 -0400
30317 +++ linux-2.6.32.43/drivers/ieee1394/ohci1394.c 2011-04-23 12:56:11.000000000 -0400
30318 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
30319 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
30321 /* Module Parameters */
30322 -static int phys_dma = 1;
30323 +static int phys_dma;
30324 module_param(phys_dma, int, 0444);
30325 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
30326 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
30328 static void dma_trm_tasklet(unsigned long data);
30329 static void dma_trm_reset(struct dma_trm_ctx *d);
30330 diff -urNp linux-2.6.32.43/drivers/ieee1394/sbp2.c linux-2.6.32.43/drivers/ieee1394/sbp2.c
30331 --- linux-2.6.32.43/drivers/ieee1394/sbp2.c 2011-03-27 14:31:47.000000000 -0400
30332 +++ linux-2.6.32.43/drivers/ieee1394/sbp2.c 2011-04-23 12:56:11.000000000 -0400
30333 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
30334 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
30335 MODULE_LICENSE("GPL");
30337 -static int sbp2_module_init(void)
30338 +static int __init sbp2_module_init(void)
30342 diff -urNp linux-2.6.32.43/drivers/infiniband/core/cm.c linux-2.6.32.43/drivers/infiniband/core/cm.c
30343 --- linux-2.6.32.43/drivers/infiniband/core/cm.c 2011-03-27 14:31:47.000000000 -0400
30344 +++ linux-2.6.32.43/drivers/infiniband/core/cm.c 2011-04-17 15:56:46.000000000 -0400
30345 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
30347 struct cm_counter_group {
30348 struct kobject obj;
30349 - atomic_long_t counter[CM_ATTR_COUNT];
30350 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30353 struct cm_counter_attribute {
30354 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
30355 struct ib_mad_send_buf *msg = NULL;
30358 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30359 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30360 counter[CM_REQ_COUNTER]);
30362 /* Quick state check to discard duplicate REQs. */
30363 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
30367 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30368 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30369 counter[CM_REP_COUNTER]);
30370 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30372 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
30373 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30374 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30375 spin_unlock_irq(&cm_id_priv->lock);
30376 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30377 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30378 counter[CM_RTU_COUNTER]);
30381 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
30382 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30383 dreq_msg->local_comm_id);
30385 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30386 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30387 counter[CM_DREQ_COUNTER]);
30388 cm_issue_drep(work->port, work->mad_recv_wc);
30390 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
30391 case IB_CM_MRA_REP_RCVD:
30393 case IB_CM_TIMEWAIT:
30394 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30395 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30396 counter[CM_DREQ_COUNTER]);
30397 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30399 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
30402 case IB_CM_DREQ_RCVD:
30403 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30404 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30405 counter[CM_DREQ_COUNTER]);
30408 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
30409 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30410 cm_id_priv->msg, timeout)) {
30411 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30412 - atomic_long_inc(&work->port->
30413 + atomic_long_inc_unchecked(&work->port->
30414 counter_group[CM_RECV_DUPLICATES].
30415 counter[CM_MRA_COUNTER]);
30417 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
30419 case IB_CM_MRA_REQ_RCVD:
30420 case IB_CM_MRA_REP_RCVD:
30421 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30422 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30423 counter[CM_MRA_COUNTER]);
30426 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
30427 case IB_CM_LAP_IDLE:
30429 case IB_CM_MRA_LAP_SENT:
30430 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30431 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30432 counter[CM_LAP_COUNTER]);
30433 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30435 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
30438 case IB_CM_LAP_RCVD:
30439 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30440 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30441 counter[CM_LAP_COUNTER]);
30444 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
30445 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30446 if (cur_cm_id_priv) {
30447 spin_unlock_irq(&cm.lock);
30448 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30449 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30450 counter[CM_SIDR_REQ_COUNTER]);
30451 goto out; /* Duplicate message. */
30453 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
30454 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30457 - atomic_long_add(1 + msg->retries,
30458 + atomic_long_add_unchecked(1 + msg->retries,
30459 &port->counter_group[CM_XMIT].counter[attr_index]);
30461 - atomic_long_add(msg->retries,
30462 + atomic_long_add_unchecked(msg->retries,
30463 &port->counter_group[CM_XMIT_RETRIES].
30464 counter[attr_index]);
30466 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
30469 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30470 - atomic_long_inc(&port->counter_group[CM_RECV].
30471 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30472 counter[attr_id - CM_ATTR_ID_OFFSET]);
30474 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30475 @@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
30476 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30478 return sprintf(buf, "%ld\n",
30479 - atomic_long_read(&group->counter[cm_attr->index]));
30480 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30483 -static struct sysfs_ops cm_counter_ops = {
30484 +static const struct sysfs_ops cm_counter_ops = {
30485 .show = cm_show_counter
30488 diff -urNp linux-2.6.32.43/drivers/infiniband/core/fmr_pool.c linux-2.6.32.43/drivers/infiniband/core/fmr_pool.c
30489 --- linux-2.6.32.43/drivers/infiniband/core/fmr_pool.c 2011-03-27 14:31:47.000000000 -0400
30490 +++ linux-2.6.32.43/drivers/infiniband/core/fmr_pool.c 2011-05-04 17:56:28.000000000 -0400
30491 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30493 struct task_struct *thread;
30495 - atomic_t req_ser;
30496 - atomic_t flush_ser;
30497 + atomic_unchecked_t req_ser;
30498 + atomic_unchecked_t flush_ser;
30500 wait_queue_head_t force_wait;
30502 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30503 struct ib_fmr_pool *pool = pool_ptr;
30506 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30507 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30508 ib_fmr_batch_release(pool);
30510 - atomic_inc(&pool->flush_ser);
30511 + atomic_inc_unchecked(&pool->flush_ser);
30512 wake_up_interruptible(&pool->force_wait);
30514 if (pool->flush_function)
30515 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30518 set_current_state(TASK_INTERRUPTIBLE);
30519 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30520 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30521 !kthread_should_stop())
30523 __set_current_state(TASK_RUNNING);
30524 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30525 pool->dirty_watermark = params->dirty_watermark;
30526 pool->dirty_len = 0;
30527 spin_lock_init(&pool->pool_lock);
30528 - atomic_set(&pool->req_ser, 0);
30529 - atomic_set(&pool->flush_ser, 0);
30530 + atomic_set_unchecked(&pool->req_ser, 0);
30531 + atomic_set_unchecked(&pool->flush_ser, 0);
30532 init_waitqueue_head(&pool->force_wait);
30534 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30535 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30537 spin_unlock_irq(&pool->pool_lock);
30539 - serial = atomic_inc_return(&pool->req_ser);
30540 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30541 wake_up_process(pool->thread);
30543 if (wait_event_interruptible(pool->force_wait,
30544 - atomic_read(&pool->flush_ser) - serial >= 0))
30545 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30549 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30551 list_add_tail(&fmr->list, &pool->dirty_list);
30552 if (++pool->dirty_len >= pool->dirty_watermark) {
30553 - atomic_inc(&pool->req_ser);
30554 + atomic_inc_unchecked(&pool->req_ser);
30555 wake_up_process(pool->thread);
30558 diff -urNp linux-2.6.32.43/drivers/infiniband/core/sysfs.c linux-2.6.32.43/drivers/infiniband/core/sysfs.c
30559 --- linux-2.6.32.43/drivers/infiniband/core/sysfs.c 2011-03-27 14:31:47.000000000 -0400
30560 +++ linux-2.6.32.43/drivers/infiniband/core/sysfs.c 2011-04-17 15:56:46.000000000 -0400
30561 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
30562 return port_attr->show(p, port_attr, buf);
30565 -static struct sysfs_ops port_sysfs_ops = {
30566 +static const struct sysfs_ops port_sysfs_ops = {
30567 .show = port_attr_show
30570 diff -urNp linux-2.6.32.43/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.43/drivers/infiniband/core/uverbs_marshall.c
30571 --- linux-2.6.32.43/drivers/infiniband/core/uverbs_marshall.c 2011-03-27 14:31:47.000000000 -0400
30572 +++ linux-2.6.32.43/drivers/infiniband/core/uverbs_marshall.c 2011-04-17 15:56:46.000000000 -0400
30573 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
30574 dst->grh.sgid_index = src->grh.sgid_index;
30575 dst->grh.hop_limit = src->grh.hop_limit;
30576 dst->grh.traffic_class = src->grh.traffic_class;
30577 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
30578 dst->dlid = src->dlid;
30580 dst->src_path_bits = src->src_path_bits;
30581 dst->static_rate = src->static_rate;
30582 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
30583 dst->port_num = src->port_num;
30584 + dst->reserved = 0;
30586 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
30588 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
30589 struct ib_qp_attr *src)
30591 + dst->qp_state = src->qp_state;
30592 dst->cur_qp_state = src->cur_qp_state;
30593 dst->path_mtu = src->path_mtu;
30594 dst->path_mig_state = src->path_mig_state;
30595 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
30596 dst->rnr_retry = src->rnr_retry;
30597 dst->alt_port_num = src->alt_port_num;
30598 dst->alt_timeout = src->alt_timeout;
30599 + memset(dst->reserved, 0, sizeof(dst->reserved));
30601 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
30603 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.43/drivers/infiniband/hw/ipath/ipath_fs.c
30604 --- linux-2.6.32.43/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-27 14:31:47.000000000 -0400
30605 +++ linux-2.6.32.43/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:46:57.000000000 -0400
30606 @@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
30607 struct infinipath_counters counters;
30608 struct ipath_devdata *dd;
30610 + pax_track_stack();
30612 dd = file->f_path.dentry->d_inode->i_private;
30613 dd->ipath_f_read_counters(dd, &counters);
30615 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/nes/nes.c linux-2.6.32.43/drivers/infiniband/hw/nes/nes.c
30616 --- linux-2.6.32.43/drivers/infiniband/hw/nes/nes.c 2011-03-27 14:31:47.000000000 -0400
30617 +++ linux-2.6.32.43/drivers/infiniband/hw/nes/nes.c 2011-05-04 17:56:28.000000000 -0400
30618 @@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
30619 LIST_HEAD(nes_adapter_list);
30620 static LIST_HEAD(nes_dev_list);
30622 -atomic_t qps_destroyed;
30623 +atomic_unchecked_t qps_destroyed;
30625 static unsigned int ee_flsh_adapter;
30626 static unsigned int sysfs_nonidx_addr;
30627 @@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
30628 struct nes_adapter *nesadapter = nesdev->nesadapter;
30631 - atomic_inc(&qps_destroyed);
30632 + atomic_inc_unchecked(&qps_destroyed);
30634 /* Free the control structures */
30636 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.43/drivers/infiniband/hw/nes/nes_cm.c
30637 --- linux-2.6.32.43/drivers/infiniband/hw/nes/nes_cm.c 2011-03-27 14:31:47.000000000 -0400
30638 +++ linux-2.6.32.43/drivers/infiniband/hw/nes/nes_cm.c 2011-05-04 17:56:28.000000000 -0400
30639 @@ -69,11 +69,11 @@ u32 cm_packets_received;
30640 u32 cm_listens_created;
30641 u32 cm_listens_destroyed;
30642 u32 cm_backlog_drops;
30643 -atomic_t cm_loopbacks;
30644 -atomic_t cm_nodes_created;
30645 -atomic_t cm_nodes_destroyed;
30646 -atomic_t cm_accel_dropped_pkts;
30647 -atomic_t cm_resets_recvd;
30648 +atomic_unchecked_t cm_loopbacks;
30649 +atomic_unchecked_t cm_nodes_created;
30650 +atomic_unchecked_t cm_nodes_destroyed;
30651 +atomic_unchecked_t cm_accel_dropped_pkts;
30652 +atomic_unchecked_t cm_resets_recvd;
30654 static inline int mini_cm_accelerated(struct nes_cm_core *,
30655 struct nes_cm_node *);
30656 @@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
30658 static struct nes_cm_core *g_cm_core;
30660 -atomic_t cm_connects;
30661 -atomic_t cm_accepts;
30662 -atomic_t cm_disconnects;
30663 -atomic_t cm_closes;
30664 -atomic_t cm_connecteds;
30665 -atomic_t cm_connect_reqs;
30666 -atomic_t cm_rejects;
30667 +atomic_unchecked_t cm_connects;
30668 +atomic_unchecked_t cm_accepts;
30669 +atomic_unchecked_t cm_disconnects;
30670 +atomic_unchecked_t cm_closes;
30671 +atomic_unchecked_t cm_connecteds;
30672 +atomic_unchecked_t cm_connect_reqs;
30673 +atomic_unchecked_t cm_rejects;
30677 @@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
30680 add_hte_node(cm_core, cm_node);
30681 - atomic_inc(&cm_nodes_created);
30682 + atomic_inc_unchecked(&cm_nodes_created);
30686 @@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
30689 atomic_dec(&cm_core->node_cnt);
30690 - atomic_inc(&cm_nodes_destroyed);
30691 + atomic_inc_unchecked(&cm_nodes_destroyed);
30692 nesqp = cm_node->nesqp;
30694 nesqp->cm_node = NULL;
30695 @@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
30697 static void drop_packet(struct sk_buff *skb)
30699 - atomic_inc(&cm_accel_dropped_pkts);
30700 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30701 dev_kfree_skb_any(skb);
30704 @@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
30706 int reset = 0; /* whether to send reset in case of err.. */
30708 - atomic_inc(&cm_resets_recvd);
30709 + atomic_inc_unchecked(&cm_resets_recvd);
30710 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
30711 " refcnt=%d\n", cm_node, cm_node->state,
30712 atomic_read(&cm_node->ref_count));
30713 @@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
30714 rem_ref_cm_node(cm_node->cm_core, cm_node);
30717 - atomic_inc(&cm_loopbacks);
30718 + atomic_inc_unchecked(&cm_loopbacks);
30719 loopbackremotenode->loopbackpartner = cm_node;
30720 loopbackremotenode->tcp_cntxt.rcv_wscale =
30721 NES_CM_DEFAULT_RCV_WND_SCALE;
30722 @@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
30723 add_ref_cm_node(cm_node);
30724 } else if (cm_node->state == NES_CM_STATE_TSA) {
30725 rem_ref_cm_node(cm_core, cm_node);
30726 - atomic_inc(&cm_accel_dropped_pkts);
30727 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30728 dev_kfree_skb_any(skb);
30731 @@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
30733 if ((cm_id) && (cm_id->event_handler)) {
30734 if (issue_disconn) {
30735 - atomic_inc(&cm_disconnects);
30736 + atomic_inc_unchecked(&cm_disconnects);
30737 cm_event.event = IW_CM_EVENT_DISCONNECT;
30738 cm_event.status = disconn_status;
30739 cm_event.local_addr = cm_id->local_addr;
30740 @@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
30744 - atomic_inc(&cm_closes);
30745 + atomic_inc_unchecked(&cm_closes);
30746 nes_disconnect(nesqp, 1);
30748 cm_id->provider_data = nesqp;
30749 @@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
30751 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
30752 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
30753 - atomic_inc(&cm_accepts);
30754 + atomic_inc_unchecked(&cm_accepts);
30756 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
30757 atomic_read(&nesvnic->netdev->refcnt));
30758 @@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
30760 struct nes_cm_core *cm_core;
30762 - atomic_inc(&cm_rejects);
30763 + atomic_inc_unchecked(&cm_rejects);
30764 cm_node = (struct nes_cm_node *) cm_id->provider_data;
30765 loopback = cm_node->loopbackpartner;
30766 cm_core = cm_node->cm_core;
30767 @@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
30768 ntohl(cm_id->local_addr.sin_addr.s_addr),
30769 ntohs(cm_id->local_addr.sin_port));
30771 - atomic_inc(&cm_connects);
30772 + atomic_inc_unchecked(&cm_connects);
30773 nesqp->active_conn = 1;
30775 /* cache the cm_id in the qp */
30776 @@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
30777 if (nesqp->destroyed) {
30780 - atomic_inc(&cm_connecteds);
30781 + atomic_inc_unchecked(&cm_connecteds);
30782 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
30783 " local port 0x%04X. jiffies = %lu.\n",
30785 @@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
30787 ret = cm_id->event_handler(cm_id, &cm_event);
30788 cm_id->add_ref(cm_id);
30789 - atomic_inc(&cm_closes);
30790 + atomic_inc_unchecked(&cm_closes);
30791 cm_event.event = IW_CM_EVENT_CLOSE;
30792 cm_event.status = IW_CM_EVENT_STATUS_OK;
30793 cm_event.provider_data = cm_id->provider_data;
30794 @@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
30796 cm_id = cm_node->cm_id;
30798 - atomic_inc(&cm_connect_reqs);
30799 + atomic_inc_unchecked(&cm_connect_reqs);
30800 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
30801 cm_node, cm_id, jiffies);
30803 @@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
30805 cm_id = cm_node->cm_id;
30807 - atomic_inc(&cm_connect_reqs);
30808 + atomic_inc_unchecked(&cm_connect_reqs);
30809 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
30810 cm_node, cm_id, jiffies);
30812 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/nes/nes.h linux-2.6.32.43/drivers/infiniband/hw/nes/nes.h
30813 --- linux-2.6.32.43/drivers/infiniband/hw/nes/nes.h 2011-03-27 14:31:47.000000000 -0400
30814 +++ linux-2.6.32.43/drivers/infiniband/hw/nes/nes.h 2011-05-04 17:56:28.000000000 -0400
30815 @@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
30816 extern unsigned int wqm_quanta;
30817 extern struct list_head nes_adapter_list;
30819 -extern atomic_t cm_connects;
30820 -extern atomic_t cm_accepts;
30821 -extern atomic_t cm_disconnects;
30822 -extern atomic_t cm_closes;
30823 -extern atomic_t cm_connecteds;
30824 -extern atomic_t cm_connect_reqs;
30825 -extern atomic_t cm_rejects;
30826 -extern atomic_t mod_qp_timouts;
30827 -extern atomic_t qps_created;
30828 -extern atomic_t qps_destroyed;
30829 -extern atomic_t sw_qps_destroyed;
30830 +extern atomic_unchecked_t cm_connects;
30831 +extern atomic_unchecked_t cm_accepts;
30832 +extern atomic_unchecked_t cm_disconnects;
30833 +extern atomic_unchecked_t cm_closes;
30834 +extern atomic_unchecked_t cm_connecteds;
30835 +extern atomic_unchecked_t cm_connect_reqs;
30836 +extern atomic_unchecked_t cm_rejects;
30837 +extern atomic_unchecked_t mod_qp_timouts;
30838 +extern atomic_unchecked_t qps_created;
30839 +extern atomic_unchecked_t qps_destroyed;
30840 +extern atomic_unchecked_t sw_qps_destroyed;
30841 extern u32 mh_detected;
30842 extern u32 mh_pauses_sent;
30843 extern u32 cm_packets_sent;
30844 @@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
30845 extern u32 cm_listens_created;
30846 extern u32 cm_listens_destroyed;
30847 extern u32 cm_backlog_drops;
30848 -extern atomic_t cm_loopbacks;
30849 -extern atomic_t cm_nodes_created;
30850 -extern atomic_t cm_nodes_destroyed;
30851 -extern atomic_t cm_accel_dropped_pkts;
30852 -extern atomic_t cm_resets_recvd;
30853 +extern atomic_unchecked_t cm_loopbacks;
30854 +extern atomic_unchecked_t cm_nodes_created;
30855 +extern atomic_unchecked_t cm_nodes_destroyed;
30856 +extern atomic_unchecked_t cm_accel_dropped_pkts;
30857 +extern atomic_unchecked_t cm_resets_recvd;
30859 extern u32 int_mod_timer_init;
30860 extern u32 int_mod_cq_depth_256;
30861 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.43/drivers/infiniband/hw/nes/nes_nic.c
30862 --- linux-2.6.32.43/drivers/infiniband/hw/nes/nes_nic.c 2011-03-27 14:31:47.000000000 -0400
30863 +++ linux-2.6.32.43/drivers/infiniband/hw/nes/nes_nic.c 2011-05-04 17:56:28.000000000 -0400
30864 @@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
30865 target_stat_values[++index] = mh_detected;
30866 target_stat_values[++index] = mh_pauses_sent;
30867 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
30868 - target_stat_values[++index] = atomic_read(&cm_connects);
30869 - target_stat_values[++index] = atomic_read(&cm_accepts);
30870 - target_stat_values[++index] = atomic_read(&cm_disconnects);
30871 - target_stat_values[++index] = atomic_read(&cm_connecteds);
30872 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
30873 - target_stat_values[++index] = atomic_read(&cm_rejects);
30874 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
30875 - target_stat_values[++index] = atomic_read(&qps_created);
30876 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
30877 - target_stat_values[++index] = atomic_read(&qps_destroyed);
30878 - target_stat_values[++index] = atomic_read(&cm_closes);
30879 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
30880 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
30881 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
30882 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
30883 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
30884 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
30885 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
30886 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
30887 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
30888 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
30889 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
30890 target_stat_values[++index] = cm_packets_sent;
30891 target_stat_values[++index] = cm_packets_bounced;
30892 target_stat_values[++index] = cm_packets_created;
30893 @@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
30894 target_stat_values[++index] = cm_listens_created;
30895 target_stat_values[++index] = cm_listens_destroyed;
30896 target_stat_values[++index] = cm_backlog_drops;
30897 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
30898 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
30899 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
30900 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
30901 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
30902 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
30903 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
30904 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
30905 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
30906 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
30907 target_stat_values[++index] = int_mod_timer_init;
30908 target_stat_values[++index] = int_mod_cq_depth_1;
30909 target_stat_values[++index] = int_mod_cq_depth_4;
30910 diff -urNp linux-2.6.32.43/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.43/drivers/infiniband/hw/nes/nes_verbs.c
30911 --- linux-2.6.32.43/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-27 14:31:47.000000000 -0400
30912 +++ linux-2.6.32.43/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-04 17:56:28.000000000 -0400
30915 #include <rdma/ib_umem.h>
30917 -atomic_t mod_qp_timouts;
30918 -atomic_t qps_created;
30919 -atomic_t sw_qps_destroyed;
30920 +atomic_unchecked_t mod_qp_timouts;
30921 +atomic_unchecked_t qps_created;
30922 +atomic_unchecked_t sw_qps_destroyed;
30924 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
30926 @@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
30927 if (init_attr->create_flags)
30928 return ERR_PTR(-EINVAL);
30930 - atomic_inc(&qps_created);
30931 + atomic_inc_unchecked(&qps_created);
30932 switch (init_attr->qp_type) {
30934 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
30935 @@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
30936 struct iw_cm_event cm_event;
30939 - atomic_inc(&sw_qps_destroyed);
30940 + atomic_inc_unchecked(&sw_qps_destroyed);
30941 nesqp->destroyed = 1;
30943 /* Blow away the connection if it exists. */
30944 diff -urNp linux-2.6.32.43/drivers/input/gameport/gameport.c linux-2.6.32.43/drivers/input/gameport/gameport.c
30945 --- linux-2.6.32.43/drivers/input/gameport/gameport.c 2011-03-27 14:31:47.000000000 -0400
30946 +++ linux-2.6.32.43/drivers/input/gameport/gameport.c 2011-05-04 17:56:28.000000000 -0400
30947 @@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
30949 static void gameport_init_port(struct gameport *gameport)
30951 - static atomic_t gameport_no = ATOMIC_INIT(0);
30952 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
30954 __module_get(THIS_MODULE);
30956 mutex_init(&gameport->drv_mutex);
30957 device_initialize(&gameport->dev);
30958 - dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
30959 + dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
30960 gameport->dev.bus = &gameport_bus;
30961 gameport->dev.release = gameport_release_port;
30962 if (gameport->parent)
30963 diff -urNp linux-2.6.32.43/drivers/input/input.c linux-2.6.32.43/drivers/input/input.c
30964 --- linux-2.6.32.43/drivers/input/input.c 2011-03-27 14:31:47.000000000 -0400
30965 +++ linux-2.6.32.43/drivers/input/input.c 2011-05-04 17:56:28.000000000 -0400
30966 @@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
30968 int input_register_device(struct input_dev *dev)
30970 - static atomic_t input_no = ATOMIC_INIT(0);
30971 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
30972 struct input_handler *handler;
30975 @@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
30976 dev->setkeycode = input_default_setkeycode;
30978 dev_set_name(&dev->dev, "input%ld",
30979 - (unsigned long) atomic_inc_return(&input_no) - 1);
30980 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
30982 error = device_add(&dev->dev);
30984 diff -urNp linux-2.6.32.43/drivers/input/joystick/sidewinder.c linux-2.6.32.43/drivers/input/joystick/sidewinder.c
30985 --- linux-2.6.32.43/drivers/input/joystick/sidewinder.c 2011-03-27 14:31:47.000000000 -0400
30986 +++ linux-2.6.32.43/drivers/input/joystick/sidewinder.c 2011-05-18 20:09:36.000000000 -0400
30988 #include <linux/kernel.h>
30989 #include <linux/module.h>
30990 #include <linux/slab.h>
30991 +#include <linux/sched.h>
30992 #include <linux/init.h>
30993 #include <linux/input.h>
30994 #include <linux/gameport.h>
30995 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
30996 unsigned char buf[SW_LENGTH];
30999 + pax_track_stack();
31001 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31003 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31004 diff -urNp linux-2.6.32.43/drivers/input/joystick/xpad.c linux-2.6.32.43/drivers/input/joystick/xpad.c
31005 --- linux-2.6.32.43/drivers/input/joystick/xpad.c 2011-03-27 14:31:47.000000000 -0400
31006 +++ linux-2.6.32.43/drivers/input/joystick/xpad.c 2011-05-04 17:56:28.000000000 -0400
31007 @@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
31009 static int xpad_led_probe(struct usb_xpad *xpad)
31011 - static atomic_t led_seq = ATOMIC_INIT(0);
31012 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31014 struct xpad_led *led;
31015 struct led_classdev *led_cdev;
31016 @@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
31020 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31021 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31023 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31025 diff -urNp linux-2.6.32.43/drivers/input/serio/serio.c linux-2.6.32.43/drivers/input/serio/serio.c
31026 --- linux-2.6.32.43/drivers/input/serio/serio.c 2011-03-27 14:31:47.000000000 -0400
31027 +++ linux-2.6.32.43/drivers/input/serio/serio.c 2011-05-04 17:56:28.000000000 -0400
31028 @@ -527,7 +527,7 @@ static void serio_release_port(struct de
31030 static void serio_init_port(struct serio *serio)
31032 - static atomic_t serio_no = ATOMIC_INIT(0);
31033 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31035 __module_get(THIS_MODULE);
31037 @@ -536,7 +536,7 @@ static void serio_init_port(struct serio
31038 mutex_init(&serio->drv_mutex);
31039 device_initialize(&serio->dev);
31040 dev_set_name(&serio->dev, "serio%ld",
31041 - (long)atomic_inc_return(&serio_no) - 1);
31042 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31043 serio->dev.bus = &serio_bus;
31044 serio->dev.release = serio_release_port;
31045 if (serio->parent) {
31046 diff -urNp linux-2.6.32.43/drivers/isdn/gigaset/common.c linux-2.6.32.43/drivers/isdn/gigaset/common.c
31047 --- linux-2.6.32.43/drivers/isdn/gigaset/common.c 2011-03-27 14:31:47.000000000 -0400
31048 +++ linux-2.6.32.43/drivers/isdn/gigaset/common.c 2011-04-17 15:56:46.000000000 -0400
31049 @@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
31050 cs->commands_pending = 0;
31051 cs->cur_at_seq = 0;
31053 - cs->open_count = 0;
31054 + local_set(&cs->open_count, 0);
31057 cs->tty_dev = NULL;
31058 diff -urNp linux-2.6.32.43/drivers/isdn/gigaset/gigaset.h linux-2.6.32.43/drivers/isdn/gigaset/gigaset.h
31059 --- linux-2.6.32.43/drivers/isdn/gigaset/gigaset.h 2011-03-27 14:31:47.000000000 -0400
31060 +++ linux-2.6.32.43/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:56:46.000000000 -0400
31062 #include <linux/tty_driver.h>
31063 #include <linux/list.h>
31064 #include <asm/atomic.h>
31065 +#include <asm/local.h>
31067 #define GIG_VERSION {0,5,0,0}
31068 #define GIG_COMPAT {0,4,0,0}
31069 @@ -446,7 +447,7 @@ struct cardstate {
31070 spinlock_t cmdlock;
31071 unsigned curlen, cmdbytes;
31073 - unsigned open_count;
31074 + local_t open_count;
31075 struct tty_struct *tty;
31076 struct tasklet_struct if_wake_tasklet;
31077 unsigned control_state;
31078 diff -urNp linux-2.6.32.43/drivers/isdn/gigaset/interface.c linux-2.6.32.43/drivers/isdn/gigaset/interface.c
31079 --- linux-2.6.32.43/drivers/isdn/gigaset/interface.c 2011-03-27 14:31:47.000000000 -0400
31080 +++ linux-2.6.32.43/drivers/isdn/gigaset/interface.c 2011-04-17 15:56:46.000000000 -0400
31081 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
31082 return -ERESTARTSYS; // FIXME -EINTR?
31083 tty->driver_data = cs;
31085 - ++cs->open_count;
31087 - if (cs->open_count == 1) {
31088 + if (local_inc_return(&cs->open_count) == 1) {
31089 spin_lock_irqsave(&cs->lock, flags);
31091 spin_unlock_irqrestore(&cs->lock, flags);
31092 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
31094 if (!cs->connected)
31095 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31096 - else if (!cs->open_count)
31097 + else if (!local_read(&cs->open_count))
31098 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31100 - if (!--cs->open_count) {
31101 + if (!local_dec_return(&cs->open_count)) {
31102 spin_lock_irqsave(&cs->lock, flags);
31104 spin_unlock_irqrestore(&cs->lock, flags);
31105 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
31106 if (!cs->connected) {
31107 gig_dbg(DEBUG_IF, "not connected");
31109 - } else if (!cs->open_count)
31110 + } else if (!local_read(&cs->open_count))
31111 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31114 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
31115 if (!cs->connected) {
31116 gig_dbg(DEBUG_IF, "not connected");
31118 - } else if (!cs->open_count)
31119 + } else if (!local_read(&cs->open_count))
31120 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31121 else if (cs->mstate != MS_LOCKED) {
31122 dev_warn(cs->dev, "can't write to unlocked device\n");
31123 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
31124 if (!cs->connected) {
31125 gig_dbg(DEBUG_IF, "not connected");
31127 - } else if (!cs->open_count)
31128 + } else if (!local_read(&cs->open_count))
31129 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31130 else if (cs->mstate != MS_LOCKED) {
31131 dev_warn(cs->dev, "can't write to unlocked device\n");
31132 @@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
31134 if (!cs->connected)
31135 gig_dbg(DEBUG_IF, "not connected");
31136 - else if (!cs->open_count)
31137 + else if (!local_read(&cs->open_count))
31138 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31139 else if (cs->mstate != MS_LOCKED)
31140 dev_warn(cs->dev, "can't write to unlocked device\n");
31141 @@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
31143 if (!cs->connected)
31144 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31145 - else if (!cs->open_count)
31146 + else if (!local_read(&cs->open_count))
31147 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31150 @@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
31152 if (!cs->connected)
31153 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31154 - else if (!cs->open_count)
31155 + else if (!local_read(&cs->open_count))
31156 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31159 @@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
31163 - if (!cs->open_count) {
31164 + if (!local_read(&cs->open_count)) {
31165 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31168 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/avm/b1.c linux-2.6.32.43/drivers/isdn/hardware/avm/b1.c
31169 --- linux-2.6.32.43/drivers/isdn/hardware/avm/b1.c 2011-03-27 14:31:47.000000000 -0400
31170 +++ linux-2.6.32.43/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:56:46.000000000 -0400
31171 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
31174 if (t4file->user) {
31175 - if (copy_from_user(buf, dp, left))
31176 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31179 memcpy(buf, dp, left);
31180 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
31183 if (config->user) {
31184 - if (copy_from_user(buf, dp, left))
31185 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31188 memcpy(buf, dp, left);
31189 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.43/drivers/isdn/hardware/eicon/capidtmf.c
31190 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-27 14:31:47.000000000 -0400
31191 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:46:57.000000000 -0400
31192 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31193 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31194 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31196 + pax_track_stack();
31198 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31200 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.43/drivers/isdn/hardware/eicon/capifunc.c
31201 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/capifunc.c 2011-03-27 14:31:47.000000000 -0400
31202 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:46:57.000000000 -0400
31203 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31205 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31207 + pax_track_stack();
31209 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31211 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31212 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.43/drivers/isdn/hardware/eicon/diddfunc.c
31213 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-27 14:31:47.000000000 -0400
31214 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:46:57.000000000 -0400
31215 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31217 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31219 + pax_track_stack();
31221 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31223 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31224 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.43/drivers/isdn/hardware/eicon/divasfunc.c
31225 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-27 14:31:47.000000000 -0400
31226 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:46:57.000000000 -0400
31227 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31229 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31231 + pax_track_stack();
31233 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31235 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31236 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.43/drivers/isdn/hardware/eicon/divasync.h
31237 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/divasync.h 2011-03-27 14:31:47.000000000 -0400
31238 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/divasync.h 2011-08-05 20:33:55.000000000 -0400
31239 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
31240 } diva_didd_add_adapter_t;
31241 typedef struct _diva_didd_remove_adapter {
31242 IDI_CALL p_request;
31243 -} diva_didd_remove_adapter_t;
31244 +} __no_const diva_didd_remove_adapter_t;
31245 typedef struct _diva_didd_read_adapter_array {
31248 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.43/drivers/isdn/hardware/eicon/idifunc.c
31249 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/idifunc.c 2011-03-27 14:31:47.000000000 -0400
31250 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:46:57.000000000 -0400
31251 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31253 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31255 + pax_track_stack();
31257 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31259 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31260 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/message.c linux-2.6.32.43/drivers/isdn/hardware/eicon/message.c
31261 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/message.c 2011-03-27 14:31:47.000000000 -0400
31262 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:46:57.000000000 -0400
31263 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31267 + pax_track_stack();
31270 Id = ((word)plci->Id<<8)|a->Id;
31271 PUT_WORD(&SS_Ind[4],0x0000);
31272 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31276 + pax_track_stack();
31279 for(i=0;i<8;i++) bp_parms[i].length = 0;
31280 for(i=0;i<2;i++) global_config[i].length = 0;
31281 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31282 const byte llc3[] = {4,3,2,2,6,6,0};
31283 const byte header[] = {0,2,3,3,0,0,0};
31285 + pax_track_stack();
31287 for(i=0;i<8;i++) bp_parms[i].length = 0;
31288 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31289 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31290 @@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
31291 word appl_number_group_type[MAX_APPL];
31294 + pax_track_stack();
31296 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31298 if(!a->group_optimization_enabled)
31299 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.43/drivers/isdn/hardware/eicon/mntfunc.c
31300 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-27 14:31:47.000000000 -0400
31301 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:46:57.000000000 -0400
31302 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31304 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31306 + pax_track_stack();
31308 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31310 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31311 diff -urNp linux-2.6.32.43/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.43/drivers/isdn/hardware/eicon/xdi_adapter.h
31312 --- linux-2.6.32.43/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-03-27 14:31:47.000000000 -0400
31313 +++ linux-2.6.32.43/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-08-05 20:33:55.000000000 -0400
31314 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
31315 typedef struct _diva_os_idi_adapter_interface {
31316 diva_init_card_proc_t cleanup_adapter_proc;
31317 diva_cmd_card_proc_t cmd_proc;
31318 -} diva_os_idi_adapter_interface_t;
31319 +} __no_const diva_os_idi_adapter_interface_t;
31321 typedef struct _diva_os_xdi_adapter {
31322 struct list_head link;
31323 diff -urNp linux-2.6.32.43/drivers/isdn/i4l/isdn_common.c linux-2.6.32.43/drivers/isdn/i4l/isdn_common.c
31324 --- linux-2.6.32.43/drivers/isdn/i4l/isdn_common.c 2011-03-27 14:31:47.000000000 -0400
31325 +++ linux-2.6.32.43/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:46:57.000000000 -0400
31326 @@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
31328 void __user *argp = (void __user *)arg;
31330 + pax_track_stack();
31332 #define name iocpar.name
31333 #define bname iocpar.bname
31334 #define iocts iocpar.iocts
31335 diff -urNp linux-2.6.32.43/drivers/isdn/icn/icn.c linux-2.6.32.43/drivers/isdn/icn/icn.c
31336 --- linux-2.6.32.43/drivers/isdn/icn/icn.c 2011-03-27 14:31:47.000000000 -0400
31337 +++ linux-2.6.32.43/drivers/isdn/icn/icn.c 2011-04-17 15:56:46.000000000 -0400
31338 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
31342 - if (copy_from_user(msg, buf, count))
31343 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31346 memcpy(msg, buf, count);
31347 diff -urNp linux-2.6.32.43/drivers/isdn/mISDN/socket.c linux-2.6.32.43/drivers/isdn/mISDN/socket.c
31348 --- linux-2.6.32.43/drivers/isdn/mISDN/socket.c 2011-03-27 14:31:47.000000000 -0400
31349 +++ linux-2.6.32.43/drivers/isdn/mISDN/socket.c 2011-04-17 15:56:46.000000000 -0400
31350 @@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
31352 struct mISDN_devinfo di;
31354 + memset(&di, 0, sizeof(di));
31356 di.Dprotocols = dev->Dprotocols;
31357 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
31358 @@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
31360 struct mISDN_devinfo di;
31362 + memset(&di, 0, sizeof(di));
31364 di.Dprotocols = dev->Dprotocols;
31365 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
31366 diff -urNp linux-2.6.32.43/drivers/isdn/sc/interrupt.c linux-2.6.32.43/drivers/isdn/sc/interrupt.c
31367 --- linux-2.6.32.43/drivers/isdn/sc/interrupt.c 2011-03-27 14:31:47.000000000 -0400
31368 +++ linux-2.6.32.43/drivers/isdn/sc/interrupt.c 2011-04-17 15:56:46.000000000 -0400
31369 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
31371 else if(callid>=0x0000 && callid<=0x7FFF)
31375 pr_debug("%s: Got Incoming Call\n",
31376 sc_adapter[card]->devicename);
31377 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
31378 - strcpy(setup.eazmsn,
31379 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
31380 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
31381 + sizeof(setup.phone));
31382 + if (len >= sizeof(setup.phone))
31384 + len = strlcpy(setup.eazmsn,
31385 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
31386 + sizeof(setup.eazmsn));
31387 + if (len >= sizeof(setup.eazmsn))
31392 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
31393 * Handle a GetMyNumber Rsp
31395 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
31396 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
31397 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
31398 + rcvmsg.msg_data.byte_array,
31399 + sizeof(rcvmsg.msg_data.byte_array));
31403 diff -urNp linux-2.6.32.43/drivers/lguest/core.c linux-2.6.32.43/drivers/lguest/core.c
31404 --- linux-2.6.32.43/drivers/lguest/core.c 2011-03-27 14:31:47.000000000 -0400
31405 +++ linux-2.6.32.43/drivers/lguest/core.c 2011-04-17 15:56:46.000000000 -0400
31406 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
31407 * it's worked so far. The end address needs +1 because __get_vm_area
31408 * allocates an extra guard page, so we need space for that.
31411 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31412 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31413 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31414 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31416 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31417 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31418 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31421 if (!switcher_vma) {
31423 printk("lguest: could not map switcher pages high\n");
31424 @@ -118,7 +126,7 @@ static __init int map_switcher(void)
31425 * Now the Switcher is mapped at the right address, we can't fail!
31426 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31428 - memcpy(switcher_vma->addr, start_switcher_text,
31429 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31430 end_switcher_text - start_switcher_text);
31432 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31433 diff -urNp linux-2.6.32.43/drivers/lguest/x86/core.c linux-2.6.32.43/drivers/lguest/x86/core.c
31434 --- linux-2.6.32.43/drivers/lguest/x86/core.c 2011-03-27 14:31:47.000000000 -0400
31435 +++ linux-2.6.32.43/drivers/lguest/x86/core.c 2011-04-17 15:56:46.000000000 -0400
31436 @@ -59,7 +59,7 @@ static struct {
31437 /* Offset from where switcher.S was compiled to where we've copied it */
31438 static unsigned long switcher_offset(void)
31440 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
31441 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
31444 /* This cpu's struct lguest_pages. */
31445 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
31446 * These copies are pretty cheap, so we do them unconditionally: */
31447 /* Save the current Host top-level page directory.
31450 +#ifdef CONFIG_PAX_PER_CPU_PGD
31451 + pages->state.host_cr3 = read_cr3();
31453 pages->state.host_cr3 = __pa(current->mm->pgd);
31457 * Set up the Guest's page tables to see this CPU's pages (and no
31458 * other CPU's pages).
31459 @@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
31460 * compiled-in switcher code and the high-mapped copy we just made.
31462 for (i = 0; i < IDT_ENTRIES; i++)
31463 - default_idt_entries[i] += switcher_offset();
31464 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
31467 * Set up the Switcher's per-cpu areas.
31468 @@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
31469 * it will be undisturbed when we switch. To change %cs and jump we
31470 * need this structure to feed to Intel's "lcall" instruction.
31472 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
31473 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
31474 lguest_entry.segment = LGUEST_CS;
31477 diff -urNp linux-2.6.32.43/drivers/lguest/x86/switcher_32.S linux-2.6.32.43/drivers/lguest/x86/switcher_32.S
31478 --- linux-2.6.32.43/drivers/lguest/x86/switcher_32.S 2011-03-27 14:31:47.000000000 -0400
31479 +++ linux-2.6.32.43/drivers/lguest/x86/switcher_32.S 2011-04-17 15:56:46.000000000 -0400
31481 #include <asm/page.h>
31482 #include <asm/segment.h>
31483 #include <asm/lguest.h>
31484 +#include <asm/processor-flags.h>
31486 // We mark the start of the code to copy
31487 // It's placed in .text tho it's never run here
31488 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
31489 // Changes type when we load it: damn Intel!
31490 // For after we switch over our page tables
31491 // That entry will be read-only: we'd crash.
31493 +#ifdef CONFIG_PAX_KERNEXEC
31495 + xor $X86_CR0_WP, %edx
31499 movl $(GDT_ENTRY_TSS*8), %edx
31502 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
31503 // Let's clear it again for our return.
31504 // The GDT descriptor of the Host
31505 // Points to the table after two "size" bytes
31506 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
31507 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
31508 // Clear "used" from type field (byte 5, bit 2)
31509 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
31510 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
31512 +#ifdef CONFIG_PAX_KERNEXEC
31514 + xor $X86_CR0_WP, %eax
31518 // Once our page table's switched, the Guest is live!
31519 // The Host fades as we run this final step.
31520 @@ -295,13 +309,12 @@ deliver_to_host:
31521 // I consulted gcc, and it gave
31522 // These instructions, which I gladly credit:
31523 leal (%edx,%ebx,8), %eax
31524 - movzwl (%eax),%edx
31525 - movl 4(%eax), %eax
31528 + movl 4(%eax), %edx
31530 // Now the address of the handler's in %edx
31531 // We call it now: its "iret" drops us home.
31533 + ljmp $__KERNEL_CS, $1f
31536 // Every interrupt can come to us here
31537 // But we must truly tell each apart.
31538 diff -urNp linux-2.6.32.43/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.43/drivers/macintosh/via-pmu-backlight.c
31539 --- linux-2.6.32.43/drivers/macintosh/via-pmu-backlight.c 2011-03-27 14:31:47.000000000 -0400
31540 +++ linux-2.6.32.43/drivers/macintosh/via-pmu-backlight.c 2011-04-17 15:56:46.000000000 -0400
31543 #define MAX_PMU_LEVEL 0xFF
31545 -static struct backlight_ops pmu_backlight_data;
31546 +static const struct backlight_ops pmu_backlight_data;
31547 static DEFINE_SPINLOCK(pmu_backlight_lock);
31548 static int sleeping, uses_pmu_bl;
31549 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
31550 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
31551 return bd->props.brightness;
31554 -static struct backlight_ops pmu_backlight_data = {
31555 +static const struct backlight_ops pmu_backlight_data = {
31556 .get_brightness = pmu_backlight_get_brightness,
31557 .update_status = pmu_backlight_update_status,
31559 diff -urNp linux-2.6.32.43/drivers/macintosh/via-pmu.c linux-2.6.32.43/drivers/macintosh/via-pmu.c
31560 --- linux-2.6.32.43/drivers/macintosh/via-pmu.c 2011-03-27 14:31:47.000000000 -0400
31561 +++ linux-2.6.32.43/drivers/macintosh/via-pmu.c 2011-04-17 15:56:46.000000000 -0400
31562 @@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
31563 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
31566 -static struct platform_suspend_ops pmu_pm_ops = {
31567 +static const struct platform_suspend_ops pmu_pm_ops = {
31568 .enter = powerbook_sleep,
31569 .valid = pmu_sleep_valid,
31571 diff -urNp linux-2.6.32.43/drivers/md/dm.c linux-2.6.32.43/drivers/md/dm.c
31572 --- linux-2.6.32.43/drivers/md/dm.c 2011-03-27 14:31:47.000000000 -0400
31573 +++ linux-2.6.32.43/drivers/md/dm.c 2011-05-04 17:56:28.000000000 -0400
31574 @@ -163,9 +163,9 @@ struct mapped_device {
31578 - atomic_t event_nr;
31579 + atomic_unchecked_t event_nr;
31580 wait_queue_head_t eventq;
31581 - atomic_t uevent_seq;
31582 + atomic_unchecked_t uevent_seq;
31583 struct list_head uevent_list;
31584 spinlock_t uevent_lock; /* Protect access to uevent_list */
31586 @@ -1770,8 +1770,8 @@ static struct mapped_device *alloc_dev(i
31587 rwlock_init(&md->map_lock);
31588 atomic_set(&md->holders, 1);
31589 atomic_set(&md->open_count, 0);
31590 - atomic_set(&md->event_nr, 0);
31591 - atomic_set(&md->uevent_seq, 0);
31592 + atomic_set_unchecked(&md->event_nr, 0);
31593 + atomic_set_unchecked(&md->uevent_seq, 0);
31594 INIT_LIST_HEAD(&md->uevent_list);
31595 spin_lock_init(&md->uevent_lock);
31597 @@ -1921,7 +1921,7 @@ static void event_callback(void *context
31599 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
31601 - atomic_inc(&md->event_nr);
31602 + atomic_inc_unchecked(&md->event_nr);
31603 wake_up(&md->eventq);
31606 @@ -2556,18 +2556,18 @@ void dm_kobject_uevent(struct mapped_dev
31608 uint32_t dm_next_uevent_seq(struct mapped_device *md)
31610 - return atomic_add_return(1, &md->uevent_seq);
31611 + return atomic_add_return_unchecked(1, &md->uevent_seq);
31614 uint32_t dm_get_event_nr(struct mapped_device *md)
31616 - return atomic_read(&md->event_nr);
31617 + return atomic_read_unchecked(&md->event_nr);
31620 int dm_wait_event(struct mapped_device *md, int event_nr)
31622 return wait_event_interruptible(md->eventq,
31623 - (event_nr != atomic_read(&md->event_nr)));
31624 + (event_nr != atomic_read_unchecked(&md->event_nr)));
31627 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
31628 diff -urNp linux-2.6.32.43/drivers/md/dm-ioctl.c linux-2.6.32.43/drivers/md/dm-ioctl.c
31629 --- linux-2.6.32.43/drivers/md/dm-ioctl.c 2011-03-27 14:31:47.000000000 -0400
31630 +++ linux-2.6.32.43/drivers/md/dm-ioctl.c 2011-04-17 15:56:46.000000000 -0400
31631 @@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
31632 cmd == DM_LIST_VERSIONS_CMD)
31635 - if ((cmd == DM_DEV_CREATE_CMD)) {
31636 + if (cmd == DM_DEV_CREATE_CMD) {
31637 if (!*param->name) {
31638 DMWARN("name not supplied when creating device");
31640 diff -urNp linux-2.6.32.43/drivers/md/dm-raid1.c linux-2.6.32.43/drivers/md/dm-raid1.c
31641 --- linux-2.6.32.43/drivers/md/dm-raid1.c 2011-03-27 14:31:47.000000000 -0400
31642 +++ linux-2.6.32.43/drivers/md/dm-raid1.c 2011-05-04 17:56:28.000000000 -0400
31643 @@ -41,7 +41,7 @@ enum dm_raid1_error {
31646 struct mirror_set *ms;
31647 - atomic_t error_count;
31648 + atomic_unchecked_t error_count;
31649 unsigned long error_type;
31650 struct dm_dev *dev;
31652 @@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
31653 * simple way to tell if a device has encountered
31656 - atomic_inc(&m->error_count);
31657 + atomic_inc_unchecked(&m->error_count);
31659 if (test_and_set_bit(error_type, &m->error_type))
31661 @@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
31664 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
31665 - if (!atomic_read(&new->error_count)) {
31666 + if (!atomic_read_unchecked(&new->error_count)) {
31667 set_default_mirror(new);
31670 @@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
31671 struct mirror *m = get_default_mirror(ms);
31674 - if (likely(!atomic_read(&m->error_count)))
31675 + if (likely(!atomic_read_unchecked(&m->error_count)))
31678 if (m-- == ms->mirror)
31679 @@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
31681 struct mirror *default_mirror = get_default_mirror(m->ms);
31683 - return !atomic_read(&default_mirror->error_count);
31684 + return !atomic_read_unchecked(&default_mirror->error_count);
31687 static int mirror_available(struct mirror_set *ms, struct bio *bio)
31688 @@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
31690 if (likely(region_in_sync(ms, region, 1)))
31691 m = choose_mirror(ms, bio->bi_sector);
31692 - else if (m && atomic_read(&m->error_count))
31693 + else if (m && atomic_read_unchecked(&m->error_count))
31697 @@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
31700 ms->mirror[mirror].ms = ms;
31701 - atomic_set(&(ms->mirror[mirror].error_count), 0);
31702 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
31703 ms->mirror[mirror].error_type = 0;
31704 ms->mirror[mirror].offset = offset;
31706 @@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
31708 static char device_status_char(struct mirror *m)
31710 - if (!atomic_read(&(m->error_count)))
31711 + if (!atomic_read_unchecked(&(m->error_count)))
31714 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
31715 diff -urNp linux-2.6.32.43/drivers/md/dm-stripe.c linux-2.6.32.43/drivers/md/dm-stripe.c
31716 --- linux-2.6.32.43/drivers/md/dm-stripe.c 2011-03-27 14:31:47.000000000 -0400
31717 +++ linux-2.6.32.43/drivers/md/dm-stripe.c 2011-05-04 17:56:28.000000000 -0400
31718 @@ -20,7 +20,7 @@ struct stripe {
31719 struct dm_dev *dev;
31720 sector_t physical_start;
31722 - atomic_t error_count;
31723 + atomic_unchecked_t error_count;
31727 @@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
31731 - atomic_set(&(sc->stripe[i].error_count), 0);
31732 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
31736 @@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
31737 DMEMIT("%d ", sc->stripes);
31738 for (i = 0; i < sc->stripes; i++) {
31739 DMEMIT("%s ", sc->stripe[i].dev->name);
31740 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
31741 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
31745 @@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
31747 for (i = 0; i < sc->stripes; i++)
31748 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
31749 - atomic_inc(&(sc->stripe[i].error_count));
31750 - if (atomic_read(&(sc->stripe[i].error_count)) <
31751 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
31752 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
31753 DM_IO_ERROR_THRESHOLD)
31754 queue_work(kstriped, &sc->kstriped_ws);
31756 diff -urNp linux-2.6.32.43/drivers/md/dm-sysfs.c linux-2.6.32.43/drivers/md/dm-sysfs.c
31757 --- linux-2.6.32.43/drivers/md/dm-sysfs.c 2011-03-27 14:31:47.000000000 -0400
31758 +++ linux-2.6.32.43/drivers/md/dm-sysfs.c 2011-04-17 15:56:46.000000000 -0400
31759 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
31763 -static struct sysfs_ops dm_sysfs_ops = {
31764 +static const struct sysfs_ops dm_sysfs_ops = {
31765 .show = dm_attr_show,
31768 diff -urNp linux-2.6.32.43/drivers/md/dm-table.c linux-2.6.32.43/drivers/md/dm-table.c
31769 --- linux-2.6.32.43/drivers/md/dm-table.c 2011-06-25 12:55:34.000000000 -0400
31770 +++ linux-2.6.32.43/drivers/md/dm-table.c 2011-06-25 12:56:37.000000000 -0400
31771 @@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
31775 - if ((start >= dev_size) || (start + len > dev_size)) {
31776 + if ((start >= dev_size) || (len > dev_size - start)) {
31777 DMWARN("%s: %s too small for target: "
31778 "start=%llu, len=%llu, dev_size=%llu",
31779 dm_device_name(ti->table->md), bdevname(bdev, b),
31780 diff -urNp linux-2.6.32.43/drivers/md/md.c linux-2.6.32.43/drivers/md/md.c
31781 --- linux-2.6.32.43/drivers/md/md.c 2011-07-13 17:23:04.000000000 -0400
31782 +++ linux-2.6.32.43/drivers/md/md.c 2011-07-13 17:23:18.000000000 -0400
31783 @@ -153,10 +153,10 @@ static int start_readonly;
31784 * start build, activate spare
31786 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
31787 -static atomic_t md_event_count;
31788 +static atomic_unchecked_t md_event_count;
31789 void md_new_event(mddev_t *mddev)
31791 - atomic_inc(&md_event_count);
31792 + atomic_inc_unchecked(&md_event_count);
31793 wake_up(&md_event_waiters);
31795 EXPORT_SYMBOL_GPL(md_new_event);
31796 @@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
31798 static void md_new_event_inintr(mddev_t *mddev)
31800 - atomic_inc(&md_event_count);
31801 + atomic_inc_unchecked(&md_event_count);
31802 wake_up(&md_event_waiters);
31805 @@ -1218,7 +1218,7 @@ static int super_1_load(mdk_rdev_t *rdev
31807 rdev->preferred_minor = 0xffff;
31808 rdev->data_offset = le64_to_cpu(sb->data_offset);
31809 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
31810 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
31812 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
31813 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
31814 @@ -1392,7 +1392,7 @@ static void super_1_sync(mddev_t *mddev,
31816 sb->resync_offset = cpu_to_le64(0);
31818 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
31819 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
31821 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
31822 sb->size = cpu_to_le64(mddev->dev_sectors);
31823 @@ -2214,7 +2214,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
31825 errors_show(mdk_rdev_t *rdev, char *page)
31827 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
31828 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
31832 @@ -2223,7 +2223,7 @@ errors_store(mdk_rdev_t *rdev, const cha
31834 unsigned long n = simple_strtoul(buf, &e, 10);
31835 if (*buf && (*e == 0 || *e == '\n')) {
31836 - atomic_set(&rdev->corrected_errors, n);
31837 + atomic_set_unchecked(&rdev->corrected_errors, n);
31841 @@ -2517,7 +2517,7 @@ static void rdev_free(struct kobject *ko
31842 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
31845 -static struct sysfs_ops rdev_sysfs_ops = {
31846 +static const struct sysfs_ops rdev_sysfs_ops = {
31847 .show = rdev_attr_show,
31848 .store = rdev_attr_store,
31850 @@ -2566,8 +2566,8 @@ static mdk_rdev_t *md_import_device(dev_
31851 rdev->data_offset = 0;
31852 rdev->sb_events = 0;
31853 atomic_set(&rdev->nr_pending, 0);
31854 - atomic_set(&rdev->read_errors, 0);
31855 - atomic_set(&rdev->corrected_errors, 0);
31856 + atomic_set_unchecked(&rdev->read_errors, 0);
31857 + atomic_set_unchecked(&rdev->corrected_errors, 0);
31859 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
31861 @@ -3887,7 +3887,7 @@ static void md_free(struct kobject *ko)
31865 -static struct sysfs_ops md_sysfs_ops = {
31866 +static const struct sysfs_ops md_sysfs_ops = {
31867 .show = md_attr_show,
31868 .store = md_attr_store,
31870 @@ -4474,7 +4474,8 @@ out:
31872 blk_integrity_unregister(disk);
31873 md_new_event(mddev);
31874 - sysfs_notify_dirent(mddev->sysfs_state);
31875 + if (mddev->sysfs_state)
31876 + sysfs_notify_dirent(mddev->sysfs_state);
31880 @@ -5954,7 +5955,7 @@ static int md_seq_show(struct seq_file *
31882 spin_unlock(&pers_lock);
31883 seq_printf(seq, "\n");
31884 - mi->event = atomic_read(&md_event_count);
31885 + mi->event = atomic_read_unchecked(&md_event_count);
31888 if (v == (void*)2) {
31889 @@ -6043,7 +6044,7 @@ static int md_seq_show(struct seq_file *
31890 chunk_kb ? "KB" : "B");
31891 if (bitmap->file) {
31892 seq_printf(seq, ", file: ");
31893 - seq_path(seq, &bitmap->file->f_path, " \t\n");
31894 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
31897 seq_printf(seq, "\n");
31898 @@ -6077,7 +6078,7 @@ static int md_seq_open(struct inode *ino
31900 struct seq_file *p = file->private_data;
31902 - mi->event = atomic_read(&md_event_count);
31903 + mi->event = atomic_read_unchecked(&md_event_count);
31907 @@ -6093,7 +6094,7 @@ static unsigned int mdstat_poll(struct f
31908 /* always allow read */
31909 mask = POLLIN | POLLRDNORM;
31911 - if (mi->event != atomic_read(&md_event_count))
31912 + if (mi->event != atomic_read_unchecked(&md_event_count))
31913 mask |= POLLERR | POLLPRI;
31916 @@ -6137,7 +6138,7 @@ static int is_mddev_idle(mddev_t *mddev,
31917 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
31918 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
31919 (int)part_stat_read(&disk->part0, sectors[1]) -
31920 - atomic_read(&disk->sync_io);
31921 + atomic_read_unchecked(&disk->sync_io);
31922 /* sync IO will cause sync_io to increase before the disk_stats
31923 * as sync_io is counted when a request starts, and
31924 * disk_stats is counted when it completes.
31925 diff -urNp linux-2.6.32.43/drivers/md/md.h linux-2.6.32.43/drivers/md/md.h
31926 --- linux-2.6.32.43/drivers/md/md.h 2011-03-27 14:31:47.000000000 -0400
31927 +++ linux-2.6.32.43/drivers/md/md.h 2011-05-04 17:56:20.000000000 -0400
31928 @@ -94,10 +94,10 @@ struct mdk_rdev_s
31929 * only maintained for arrays that
31930 * support hot removal
31932 - atomic_t read_errors; /* number of consecutive read errors that
31933 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
31934 * we have tried to ignore.
31936 - atomic_t corrected_errors; /* number of corrected read errors,
31937 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
31938 * for reporting to userspace and storing
31941 @@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
31943 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
31945 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
31946 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
31949 struct mdk_personality
31950 diff -urNp linux-2.6.32.43/drivers/md/raid10.c linux-2.6.32.43/drivers/md/raid10.c
31951 --- linux-2.6.32.43/drivers/md/raid10.c 2011-03-27 14:31:47.000000000 -0400
31952 +++ linux-2.6.32.43/drivers/md/raid10.c 2011-05-04 17:56:28.000000000 -0400
31953 @@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
31954 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
31955 set_bit(R10BIO_Uptodate, &r10_bio->state);
31957 - atomic_add(r10_bio->sectors,
31958 + atomic_add_unchecked(r10_bio->sectors,
31959 &conf->mirrors[d].rdev->corrected_errors);
31960 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
31961 md_error(r10_bio->mddev,
31962 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
31963 test_bit(In_sync, &rdev->flags)) {
31964 atomic_inc(&rdev->nr_pending);
31966 - atomic_add(s, &rdev->corrected_errors);
31967 + atomic_add_unchecked(s, &rdev->corrected_errors);
31968 if (sync_page_io(rdev->bdev,
31969 r10_bio->devs[sl].addr +
31970 sect + rdev->data_offset,
31971 diff -urNp linux-2.6.32.43/drivers/md/raid1.c linux-2.6.32.43/drivers/md/raid1.c
31972 --- linux-2.6.32.43/drivers/md/raid1.c 2011-03-27 14:31:47.000000000 -0400
31973 +++ linux-2.6.32.43/drivers/md/raid1.c 2011-05-04 17:56:28.000000000 -0400
31974 @@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
31975 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
31977 rdev = conf->mirrors[d].rdev;
31978 - atomic_add(s, &rdev->corrected_errors);
31979 + atomic_add_unchecked(s, &rdev->corrected_errors);
31980 if (sync_page_io(rdev->bdev,
31981 sect + rdev->data_offset,
31983 @@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
31984 /* Well, this device is dead */
31985 md_error(mddev, rdev);
31987 - atomic_add(s, &rdev->corrected_errors);
31988 + atomic_add_unchecked(s, &rdev->corrected_errors);
31990 "raid1:%s: read error corrected "
31991 "(%d sectors at %llu on %s)\n",
31992 diff -urNp linux-2.6.32.43/drivers/md/raid5.c linux-2.6.32.43/drivers/md/raid5.c
31993 --- linux-2.6.32.43/drivers/md/raid5.c 2011-06-25 12:55:34.000000000 -0400
31994 +++ linux-2.6.32.43/drivers/md/raid5.c 2011-06-25 12:58:39.000000000 -0400
31995 @@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
31996 bi->bi_next = NULL;
31997 if ((rw & WRITE) &&
31998 test_bit(R5_ReWrite, &sh->dev[i].flags))
31999 - atomic_add(STRIPE_SECTORS,
32000 + atomic_add_unchecked(STRIPE_SECTORS,
32001 &rdev->corrected_errors);
32002 generic_make_request(bi);
32004 @@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
32005 clear_bit(R5_ReadError, &sh->dev[i].flags);
32006 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32008 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32009 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32010 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32011 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32013 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32015 rdev = conf->disks[i].rdev;
32017 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32018 - atomic_inc(&rdev->read_errors);
32019 + atomic_inc_unchecked(&rdev->read_errors);
32020 if (conf->mddev->degraded >= conf->max_degraded)
32021 printk_rl(KERN_WARNING
32022 "raid5:%s: read error not correctable "
32023 @@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
32024 (unsigned long long)(sh->sector
32025 + rdev->data_offset),
32027 - else if (atomic_read(&rdev->read_errors)
32028 + else if (atomic_read_unchecked(&rdev->read_errors)
32029 > conf->max_nr_stripes)
32030 printk(KERN_WARNING
32031 "raid5:%s: Too many read errors, failing device %s.\n",
32032 @@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
32034 struct stripe_head sh2;
32036 + pax_track_stack();
32038 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32039 stripe = new_sector;
32040 diff -urNp linux-2.6.32.43/drivers/media/common/saa7146_fops.c linux-2.6.32.43/drivers/media/common/saa7146_fops.c
32041 --- linux-2.6.32.43/drivers/media/common/saa7146_fops.c 2011-03-27 14:31:47.000000000 -0400
32042 +++ linux-2.6.32.43/drivers/media/common/saa7146_fops.c 2011-08-05 20:33:55.000000000 -0400
32043 @@ -458,7 +458,7 @@ int saa7146_vv_init(struct saa7146_dev*
32044 ERR(("out of memory. aborting.\n"));
32047 - ext_vv->ops = saa7146_video_ioctl_ops;
32048 + memcpy((void *)&ext_vv->ops, &saa7146_video_ioctl_ops, sizeof(saa7146_video_ioctl_ops));
32049 ext_vv->core_ops = &saa7146_video_ioctl_ops;
32051 DEB_EE(("dev:%p\n",dev));
32052 diff -urNp linux-2.6.32.43/drivers/media/common/saa7146_hlp.c linux-2.6.32.43/drivers/media/common/saa7146_hlp.c
32053 --- linux-2.6.32.43/drivers/media/common/saa7146_hlp.c 2011-03-27 14:31:47.000000000 -0400
32054 +++ linux-2.6.32.43/drivers/media/common/saa7146_hlp.c 2011-05-16 21:46:57.000000000 -0400
32055 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32057 int x[32], y[32], w[32], h[32];
32059 + pax_track_stack();
32061 /* clear out memory */
32062 memset(&line_list[0], 0x00, sizeof(u32)*32);
32063 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32064 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32065 --- linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-27 14:31:47.000000000 -0400
32066 +++ linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:46:57.000000000 -0400
32067 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32068 u8 buf[HOST_LINK_BUF_SIZE];
32071 + pax_track_stack();
32073 dprintk("%s\n", __func__);
32075 /* check if we have space for a link buf in the rx_buffer */
32076 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32077 unsigned long timeout;
32080 + pax_track_stack();
32082 dprintk("%s\n", __func__);
32084 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32085 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_demux.h
32086 --- linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_demux.h 2011-03-27 14:31:47.000000000 -0400
32087 +++ linux-2.6.32.43/drivers/media/dvb/dvb-core/dvb_demux.h 2011-08-05 20:33:55.000000000 -0400
32088 @@ -71,7 +71,7 @@ struct dvb_demux_feed {
32091 dmx_section_cb sec;
32095 struct dvb_demux *demux;
32097 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.43/drivers/media/dvb/dvb-core/dvbdev.c
32098 --- linux-2.6.32.43/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-27 14:31:47.000000000 -0400
32099 +++ linux-2.6.32.43/drivers/media/dvb/dvb-core/dvbdev.c 2011-08-05 20:33:55.000000000 -0400
32100 @@ -228,8 +228,8 @@ int dvb_register_device(struct dvb_adapt
32101 dvbdev->fops = dvbdevfops;
32102 init_waitqueue_head (&dvbdev->wait_queue);
32104 - memcpy(dvbdevfops, template->fops, sizeof(struct file_operations));
32105 - dvbdevfops->owner = adap->module;
32106 + memcpy((void *)dvbdevfops, template->fops, sizeof(struct file_operations));
32107 + *(void **)&dvbdevfops->owner = adap->module;
32109 list_add_tail (&dvbdev->list_head, &adap->device_list);
32111 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.43/drivers/media/dvb/dvb-usb/cxusb.c
32112 --- linux-2.6.32.43/drivers/media/dvb/dvb-usb/cxusb.c 2011-03-27 14:31:47.000000000 -0400
32113 +++ linux-2.6.32.43/drivers/media/dvb/dvb-usb/cxusb.c 2011-08-05 20:33:55.000000000 -0400
32114 @@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
32115 struct dib0700_adapter_state {
32116 int (*set_param_save) (struct dvb_frontend *,
32117 struct dvb_frontend_parameters *);
32121 static int dib7070_set_param_override(struct dvb_frontend *fe,
32122 struct dvb_frontend_parameters *fep)
32123 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_core.c
32124 --- linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-27 14:31:47.000000000 -0400
32125 +++ linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:46:57.000000000 -0400
32126 @@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
32130 + pax_track_stack();
32132 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32133 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
32135 diff -urNp linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_devices.c
32136 --- linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-05-10 22:12:01.000000000 -0400
32137 +++ linux-2.6.32.43/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-08-05 20:33:55.000000000 -0400
32138 @@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
32140 struct dib0700_adapter_state {
32141 int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
32145 /* Hauppauge Nova-T 500 (aka Bristol)
32146 * has a LNA on GPIO0 which is enabled by setting 1 */
32147 diff -urNp linux-2.6.32.43/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.43/drivers/media/dvb/frontends/dib3000.h
32148 --- linux-2.6.32.43/drivers/media/dvb/frontends/dib3000.h 2011-03-27 14:31:47.000000000 -0400
32149 +++ linux-2.6.32.43/drivers/media/dvb/frontends/dib3000.h 2011-08-05 20:33:55.000000000 -0400
32150 @@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
32151 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
32152 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
32153 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
32157 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
32158 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
32159 diff -urNp linux-2.6.32.43/drivers/media/dvb/frontends/or51211.c linux-2.6.32.43/drivers/media/dvb/frontends/or51211.c
32160 --- linux-2.6.32.43/drivers/media/dvb/frontends/or51211.c 2011-03-27 14:31:47.000000000 -0400
32161 +++ linux-2.6.32.43/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:46:57.000000000 -0400
32162 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32166 + pax_track_stack();
32168 dprintk("Firmware is %zd bytes\n",fw->size);
32170 /* Get eprom data */
32171 diff -urNp linux-2.6.32.43/drivers/media/dvb/ttpci/av7110_v4l.c linux-2.6.32.43/drivers/media/dvb/ttpci/av7110_v4l.c
32172 --- linux-2.6.32.43/drivers/media/dvb/ttpci/av7110_v4l.c 2011-03-27 14:31:47.000000000 -0400
32173 +++ linux-2.6.32.43/drivers/media/dvb/ttpci/av7110_v4l.c 2011-08-05 20:33:55.000000000 -0400
32174 @@ -796,18 +796,18 @@ int av7110_init_v4l(struct av7110 *av711
32175 ERR(("cannot init capture device. skipping.\n"));
32178 - vv_data->ops.vidioc_enum_input = vidioc_enum_input;
32179 - vv_data->ops.vidioc_g_input = vidioc_g_input;
32180 - vv_data->ops.vidioc_s_input = vidioc_s_input;
32181 - vv_data->ops.vidioc_g_tuner = vidioc_g_tuner;
32182 - vv_data->ops.vidioc_s_tuner = vidioc_s_tuner;
32183 - vv_data->ops.vidioc_g_frequency = vidioc_g_frequency;
32184 - vv_data->ops.vidioc_s_frequency = vidioc_s_frequency;
32185 - vv_data->ops.vidioc_g_audio = vidioc_g_audio;
32186 - vv_data->ops.vidioc_s_audio = vidioc_s_audio;
32187 - vv_data->ops.vidioc_g_sliced_vbi_cap = vidioc_g_sliced_vbi_cap;
32188 - vv_data->ops.vidioc_g_fmt_sliced_vbi_out = vidioc_g_fmt_sliced_vbi_out;
32189 - vv_data->ops.vidioc_s_fmt_sliced_vbi_out = vidioc_s_fmt_sliced_vbi_out;
32190 + *(void **)&vv_data->ops.vidioc_enum_input = vidioc_enum_input;
32191 + *(void **)&vv_data->ops.vidioc_g_input = vidioc_g_input;
32192 + *(void **)&vv_data->ops.vidioc_s_input = vidioc_s_input;
32193 + *(void **)&vv_data->ops.vidioc_g_tuner = vidioc_g_tuner;
32194 + *(void **)&vv_data->ops.vidioc_s_tuner = vidioc_s_tuner;
32195 + *(void **)&vv_data->ops.vidioc_g_frequency = vidioc_g_frequency;
32196 + *(void **)&vv_data->ops.vidioc_s_frequency = vidioc_s_frequency;
32197 + *(void **)&vv_data->ops.vidioc_g_audio = vidioc_g_audio;
32198 + *(void **)&vv_data->ops.vidioc_s_audio = vidioc_s_audio;
32199 + *(void **)&vv_data->ops.vidioc_g_sliced_vbi_cap = vidioc_g_sliced_vbi_cap;
32200 + *(void **)&vv_data->ops.vidioc_g_fmt_sliced_vbi_out = vidioc_g_fmt_sliced_vbi_out;
32201 + *(void **)&vv_data->ops.vidioc_s_fmt_sliced_vbi_out = vidioc_s_fmt_sliced_vbi_out;
32203 if (saa7146_register_device(&av7110->v4l_dev, dev, "av7110", VFL_TYPE_GRABBER)) {
32204 ERR(("cannot register capture device. skipping.\n"));
32205 diff -urNp linux-2.6.32.43/drivers/media/dvb/ttpci/budget-av.c linux-2.6.32.43/drivers/media/dvb/ttpci/budget-av.c
32206 --- linux-2.6.32.43/drivers/media/dvb/ttpci/budget-av.c 2011-03-27 14:31:47.000000000 -0400
32207 +++ linux-2.6.32.43/drivers/media/dvb/ttpci/budget-av.c 2011-08-05 20:33:55.000000000 -0400
32208 @@ -1477,9 +1477,9 @@ static int budget_av_attach(struct saa71
32209 ERR(("cannot init vv subsystem.\n"));
32212 - vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32213 - vv_data.ops.vidioc_g_input = vidioc_g_input;
32214 - vv_data.ops.vidioc_s_input = vidioc_s_input;
32215 + *(void **)&vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32216 + *(void **)&vv_data.ops.vidioc_g_input = vidioc_g_input;
32217 + *(void **)&vv_data.ops.vidioc_s_input = vidioc_s_input;
32219 if ((err = saa7146_register_device(&budget_av->vd, dev, "knc1", VFL_TYPE_GRABBER))) {
32220 /* fixme: proper cleanup here */
32221 diff -urNp linux-2.6.32.43/drivers/media/radio/radio-cadet.c linux-2.6.32.43/drivers/media/radio/radio-cadet.c
32222 --- linux-2.6.32.43/drivers/media/radio/radio-cadet.c 2011-03-27 14:31:47.000000000 -0400
32223 +++ linux-2.6.32.43/drivers/media/radio/radio-cadet.c 2011-04-17 15:56:46.000000000 -0400
32224 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
32225 while (i < count && dev->rdsin != dev->rdsout)
32226 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32228 - if (copy_to_user(data, readbuf, i))
32229 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32233 diff -urNp linux-2.6.32.43/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.43/drivers/media/video/cx18/cx18-driver.c
32234 --- linux-2.6.32.43/drivers/media/video/cx18/cx18-driver.c 2011-03-27 14:31:47.000000000 -0400
32235 +++ linux-2.6.32.43/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:46:57.000000000 -0400
32236 @@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
32238 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32240 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32241 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32243 /* Parameter declarations */
32244 static int cardtype[CX18_MAX_CARDS];
32245 @@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32246 struct i2c_client c;
32249 + pax_track_stack();
32251 memset(&c, 0, sizeof(c));
32252 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32253 c.adapter = &cx->i2c_adap[0];
32254 @@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
32257 /* FIXME - module parameter arrays constrain max instances */
32258 - i = atomic_inc_return(&cx18_instance) - 1;
32259 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32260 if (i >= CX18_MAX_CARDS) {
32261 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32262 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32263 diff -urNp linux-2.6.32.43/drivers/media/video/hexium_gemini.c linux-2.6.32.43/drivers/media/video/hexium_gemini.c
32264 --- linux-2.6.32.43/drivers/media/video/hexium_gemini.c 2011-03-27 14:31:47.000000000 -0400
32265 +++ linux-2.6.32.43/drivers/media/video/hexium_gemini.c 2011-08-05 20:33:55.000000000 -0400
32266 @@ -394,12 +394,12 @@ static int hexium_attach(struct saa7146_
32267 hexium->cur_input = 0;
32269 saa7146_vv_init(dev, &vv_data);
32270 - vv_data.ops.vidioc_queryctrl = vidioc_queryctrl;
32271 - vv_data.ops.vidioc_g_ctrl = vidioc_g_ctrl;
32272 - vv_data.ops.vidioc_s_ctrl = vidioc_s_ctrl;
32273 - vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32274 - vv_data.ops.vidioc_g_input = vidioc_g_input;
32275 - vv_data.ops.vidioc_s_input = vidioc_s_input;
32276 + *(void **)&vv_data.ops.vidioc_queryctrl = vidioc_queryctrl;
32277 + *(void **)&vv_data.ops.vidioc_g_ctrl = vidioc_g_ctrl;
32278 + *(void **)&vv_data.ops.vidioc_s_ctrl = vidioc_s_ctrl;
32279 + *(void **)&vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32280 + *(void **)&vv_data.ops.vidioc_g_input = vidioc_g_input;
32281 + *(void **)&vv_data.ops.vidioc_s_input = vidioc_s_input;
32282 if (0 != saa7146_register_device(&hexium->video_dev, dev, "hexium gemini", VFL_TYPE_GRABBER)) {
32283 printk("hexium_gemini: cannot register capture v4l2 device. skipping.\n");
32285 diff -urNp linux-2.6.32.43/drivers/media/video/hexium_orion.c linux-2.6.32.43/drivers/media/video/hexium_orion.c
32286 --- linux-2.6.32.43/drivers/media/video/hexium_orion.c 2011-03-27 14:31:47.000000000 -0400
32287 +++ linux-2.6.32.43/drivers/media/video/hexium_orion.c 2011-08-05 20:33:55.000000000 -0400
32288 @@ -369,9 +369,9 @@ static int hexium_attach(struct saa7146_
32291 saa7146_vv_init(dev, &vv_data);
32292 - vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32293 - vv_data.ops.vidioc_g_input = vidioc_g_input;
32294 - vv_data.ops.vidioc_s_input = vidioc_s_input;
32295 + *(void **)&vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32296 + *(void **)&vv_data.ops.vidioc_g_input = vidioc_g_input;
32297 + *(void **)&vv_data.ops.vidioc_s_input = vidioc_s_input;
32298 if (0 != saa7146_register_device(&hexium->video_dev, dev, "hexium orion", VFL_TYPE_GRABBER)) {
32299 printk("hexium_orion: cannot register capture v4l2 device. skipping.\n");
32301 diff -urNp linux-2.6.32.43/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.43/drivers/media/video/ivtv/ivtv-driver.c
32302 --- linux-2.6.32.43/drivers/media/video/ivtv/ivtv-driver.c 2011-03-27 14:31:47.000000000 -0400
32303 +++ linux-2.6.32.43/drivers/media/video/ivtv/ivtv-driver.c 2011-05-04 17:56:28.000000000 -0400
32304 @@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
32305 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
32307 /* ivtv instance counter */
32308 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
32309 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
32311 /* Parameter declarations */
32312 static int cardtype[IVTV_MAX_CARDS];
32313 diff -urNp linux-2.6.32.43/drivers/media/video/mxb.c linux-2.6.32.43/drivers/media/video/mxb.c
32314 --- linux-2.6.32.43/drivers/media/video/mxb.c 2011-03-27 14:31:47.000000000 -0400
32315 +++ linux-2.6.32.43/drivers/media/video/mxb.c 2011-08-05 20:33:55.000000000 -0400
32316 @@ -703,23 +703,23 @@ static int mxb_attach(struct saa7146_dev
32317 already did this in "mxb_vl42_probe" */
32319 saa7146_vv_init(dev, &vv_data);
32320 - vv_data.ops.vidioc_queryctrl = vidioc_queryctrl;
32321 - vv_data.ops.vidioc_g_ctrl = vidioc_g_ctrl;
32322 - vv_data.ops.vidioc_s_ctrl = vidioc_s_ctrl;
32323 - vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32324 - vv_data.ops.vidioc_g_input = vidioc_g_input;
32325 - vv_data.ops.vidioc_s_input = vidioc_s_input;
32326 - vv_data.ops.vidioc_g_tuner = vidioc_g_tuner;
32327 - vv_data.ops.vidioc_s_tuner = vidioc_s_tuner;
32328 - vv_data.ops.vidioc_g_frequency = vidioc_g_frequency;
32329 - vv_data.ops.vidioc_s_frequency = vidioc_s_frequency;
32330 - vv_data.ops.vidioc_g_audio = vidioc_g_audio;
32331 - vv_data.ops.vidioc_s_audio = vidioc_s_audio;
32332 + *(void **)&vv_data.ops.vidioc_queryctrl = vidioc_queryctrl;
32333 + *(void **)&vv_data.ops.vidioc_g_ctrl = vidioc_g_ctrl;
32334 + *(void **)&vv_data.ops.vidioc_s_ctrl = vidioc_s_ctrl;
32335 + *(void **)&vv_data.ops.vidioc_enum_input = vidioc_enum_input;
32336 + *(void **)&vv_data.ops.vidioc_g_input = vidioc_g_input;
32337 + *(void **)&vv_data.ops.vidioc_s_input = vidioc_s_input;
32338 + *(void **)&vv_data.ops.vidioc_g_tuner = vidioc_g_tuner;
32339 + *(void **)&vv_data.ops.vidioc_s_tuner = vidioc_s_tuner;
32340 + *(void **)&vv_data.ops.vidioc_g_frequency = vidioc_g_frequency;
32341 + *(void **)&vv_data.ops.vidioc_s_frequency = vidioc_s_frequency;
32342 + *(void **)&vv_data.ops.vidioc_g_audio = vidioc_g_audio;
32343 + *(void **)&vv_data.ops.vidioc_s_audio = vidioc_s_audio;
32344 #ifdef CONFIG_VIDEO_ADV_DEBUG
32345 - vv_data.ops.vidioc_g_register = vidioc_g_register;
32346 - vv_data.ops.vidioc_s_register = vidioc_s_register;
32347 + *(void **)&vv_data.ops.vidioc_g_register = vidioc_g_register;
32348 + *(void **)&vv_data.ops.vidioc_s_register = vidioc_s_register;
32350 - vv_data.ops.vidioc_default = vidioc_default;
32351 + *(void **)&vv_data.ops.vidioc_default = vidioc_default;
32352 if (saa7146_register_device(&mxb->video_dev, dev, "mxb", VFL_TYPE_GRABBER)) {
32353 ERR(("cannot register capture v4l2 device. skipping.\n"));
32355 diff -urNp linux-2.6.32.43/drivers/media/video/omap24xxcam.c linux-2.6.32.43/drivers/media/video/omap24xxcam.c
32356 --- linux-2.6.32.43/drivers/media/video/omap24xxcam.c 2011-03-27 14:31:47.000000000 -0400
32357 +++ linux-2.6.32.43/drivers/media/video/omap24xxcam.c 2011-05-04 17:56:28.000000000 -0400
32358 @@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
32359 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
32361 do_gettimeofday(&vb->ts);
32362 - vb->field_count = atomic_add_return(2, &fh->field_count);
32363 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
32364 if (csr & csr_error) {
32365 vb->state = VIDEOBUF_ERROR;
32366 if (!atomic_read(&fh->cam->in_reset)) {
32367 diff -urNp linux-2.6.32.43/drivers/media/video/omap24xxcam.h linux-2.6.32.43/drivers/media/video/omap24xxcam.h
32368 --- linux-2.6.32.43/drivers/media/video/omap24xxcam.h 2011-03-27 14:31:47.000000000 -0400
32369 +++ linux-2.6.32.43/drivers/media/video/omap24xxcam.h 2011-05-04 17:56:28.000000000 -0400
32370 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
32371 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
32372 struct videobuf_queue vbq;
32373 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
32374 - atomic_t field_count; /* field counter for videobuf_buffer */
32375 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
32376 /* accessing cam here doesn't need serialisation: it's constant */
32377 struct omap24xxcam_device *cam;
32379 diff -urNp linux-2.6.32.43/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.43/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
32380 --- linux-2.6.32.43/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-27 14:31:47.000000000 -0400
32381 +++ linux-2.6.32.43/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:46:57.000000000 -0400
32382 @@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
32384 struct tveeprom tvdata;
32386 + pax_track_stack();
32388 memset(&tvdata,0,sizeof(tvdata));
32390 eeprom = pvr2_eeprom_fetch(hdw);
32391 diff -urNp linux-2.6.32.43/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.43/drivers/media/video/saa7134/saa6752hs.c
32392 --- linux-2.6.32.43/drivers/media/video/saa7134/saa6752hs.c 2011-03-27 14:31:47.000000000 -0400
32393 +++ linux-2.6.32.43/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:46:57.000000000 -0400
32394 @@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
32395 unsigned char localPAT[256];
32396 unsigned char localPMT[256];
32398 + pax_track_stack();
32400 /* Set video format - must be done first as it resets other settings */
32401 set_reg8(client, 0x41, h->video_format);
32403 diff -urNp linux-2.6.32.43/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.43/drivers/media/video/saa7164/saa7164-cmd.c
32404 --- linux-2.6.32.43/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-27 14:31:47.000000000 -0400
32405 +++ linux-2.6.32.43/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:46:57.000000000 -0400
32406 @@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
32407 wait_queue_head_t *q = 0;
32408 dprintk(DBGLVL_CMD, "%s()\n", __func__);
32410 + pax_track_stack();
32412 /* While any outstand message on the bus exists... */
32415 @@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
32417 dprintk(DBGLVL_CMD, "%s()\n", __func__);
32419 + pax_track_stack();
32423 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
32424 diff -urNp linux-2.6.32.43/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.43/drivers/media/video/usbvideo/ibmcam.c
32425 --- linux-2.6.32.43/drivers/media/video/usbvideo/ibmcam.c 2011-03-27 14:31:47.000000000 -0400
32426 +++ linux-2.6.32.43/drivers/media/video/usbvideo/ibmcam.c 2011-08-05 20:33:55.000000000 -0400
32427 @@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
32428 static int __init ibmcam_init(void)
32430 struct usbvideo_cb cbTbl;
32431 - memset(&cbTbl, 0, sizeof(cbTbl));
32432 - cbTbl.probe = ibmcam_probe;
32433 - cbTbl.setupOnOpen = ibmcam_setup_on_open;
32434 - cbTbl.videoStart = ibmcam_video_start;
32435 - cbTbl.videoStop = ibmcam_video_stop;
32436 - cbTbl.processData = ibmcam_ProcessIsocData;
32437 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32438 - cbTbl.adjustPicture = ibmcam_adjust_picture;
32439 - cbTbl.getFPS = ibmcam_calculate_fps;
32440 + memset((void *)&cbTbl, 0, sizeof(cbTbl));
32441 + *(void **)&cbTbl.probe = ibmcam_probe;
32442 + *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
32443 + *(void **)&cbTbl.videoStart = ibmcam_video_start;
32444 + *(void **)&cbTbl.videoStop = ibmcam_video_stop;
32445 + *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
32446 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32447 + *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
32448 + *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
32449 return usbvideo_register(
32452 diff -urNp linux-2.6.32.43/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.43/drivers/media/video/usbvideo/konicawc.c
32453 --- linux-2.6.32.43/drivers/media/video/usbvideo/konicawc.c 2011-03-27 14:31:47.000000000 -0400
32454 +++ linux-2.6.32.43/drivers/media/video/usbvideo/konicawc.c 2011-08-05 20:33:55.000000000 -0400
32455 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
32458 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
32459 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32460 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32462 cam->input = input_dev = input_allocate_device();
32464 @@ -935,16 +935,16 @@ static int __init konicawc_init(void)
32465 struct usbvideo_cb cbTbl;
32466 printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
32468 - memset(&cbTbl, 0, sizeof(cbTbl));
32469 - cbTbl.probe = konicawc_probe;
32470 - cbTbl.setupOnOpen = konicawc_setup_on_open;
32471 - cbTbl.processData = konicawc_process_isoc;
32472 - cbTbl.getFPS = konicawc_calculate_fps;
32473 - cbTbl.setVideoMode = konicawc_set_video_mode;
32474 - cbTbl.startDataPump = konicawc_start_data;
32475 - cbTbl.stopDataPump = konicawc_stop_data;
32476 - cbTbl.adjustPicture = konicawc_adjust_picture;
32477 - cbTbl.userFree = konicawc_free_uvd;
32478 + memset((void * )&cbTbl, 0, sizeof(cbTbl));
32479 + *(void **)&cbTbl.probe = konicawc_probe;
32480 + *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
32481 + *(void **)&cbTbl.processData = konicawc_process_isoc;
32482 + *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
32483 + *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
32484 + *(void **)&cbTbl.startDataPump = konicawc_start_data;
32485 + *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
32486 + *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
32487 + *(void **)&cbTbl.userFree = konicawc_free_uvd;
32488 return usbvideo_register(
32491 diff -urNp linux-2.6.32.43/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.43/drivers/media/video/usbvideo/quickcam_messenger.c
32492 --- linux-2.6.32.43/drivers/media/video/usbvideo/quickcam_messenger.c 2011-03-27 14:31:47.000000000 -0400
32493 +++ linux-2.6.32.43/drivers/media/video/usbvideo/quickcam_messenger.c 2011-04-17 15:56:46.000000000 -0400
32494 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
32497 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
32498 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32499 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32501 cam->input = input_dev = input_allocate_device();
32503 diff -urNp linux-2.6.32.43/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.43/drivers/media/video/usbvideo/ultracam.c
32504 --- linux-2.6.32.43/drivers/media/video/usbvideo/ultracam.c 2011-03-27 14:31:47.000000000 -0400
32505 +++ linux-2.6.32.43/drivers/media/video/usbvideo/ultracam.c 2011-08-05 20:33:55.000000000 -0400
32506 @@ -655,14 +655,14 @@ static int __init ultracam_init(void)
32508 struct usbvideo_cb cbTbl;
32509 memset(&cbTbl, 0, sizeof(cbTbl));
32510 - cbTbl.probe = ultracam_probe;
32511 - cbTbl.setupOnOpen = ultracam_setup_on_open;
32512 - cbTbl.videoStart = ultracam_video_start;
32513 - cbTbl.videoStop = ultracam_video_stop;
32514 - cbTbl.processData = ultracam_ProcessIsocData;
32515 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32516 - cbTbl.adjustPicture = ultracam_adjust_picture;
32517 - cbTbl.getFPS = ultracam_calculate_fps;
32518 + *(void **)&cbTbl.probe = ultracam_probe;
32519 + *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
32520 + *(void **)&cbTbl.videoStart = ultracam_video_start;
32521 + *(void **)&cbTbl.videoStop = ultracam_video_stop;
32522 + *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
32523 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32524 + *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
32525 + *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
32526 return usbvideo_register(
32529 diff -urNp linux-2.6.32.43/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.43/drivers/media/video/usbvideo/usbvideo.c
32530 --- linux-2.6.32.43/drivers/media/video/usbvideo/usbvideo.c 2011-03-27 14:31:47.000000000 -0400
32531 +++ linux-2.6.32.43/drivers/media/video/usbvideo/usbvideo.c 2011-08-05 20:33:55.000000000 -0400
32532 @@ -697,15 +697,15 @@ int usbvideo_register(
32533 __func__, cams, base_size, num_cams);
32535 /* Copy callbacks, apply defaults for those that are not set */
32536 - memmove(&cams->cb, cbTbl, sizeof(cams->cb));
32537 + memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
32538 if (cams->cb.getFrame == NULL)
32539 - cams->cb.getFrame = usbvideo_GetFrame;
32540 + *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
32541 if (cams->cb.disconnect == NULL)
32542 - cams->cb.disconnect = usbvideo_Disconnect;
32543 + *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
32544 if (cams->cb.startDataPump == NULL)
32545 - cams->cb.startDataPump = usbvideo_StartDataPump;
32546 + *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
32547 if (cams->cb.stopDataPump == NULL)
32548 - cams->cb.stopDataPump = usbvideo_StopDataPump;
32549 + *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
32551 cams->num_cameras = num_cams;
32552 cams->cam = (struct uvd *) &cams[1];
32553 diff -urNp linux-2.6.32.43/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.43/drivers/media/video/usbvision/usbvision-core.c
32554 --- linux-2.6.32.43/drivers/media/video/usbvision/usbvision-core.c 2011-03-27 14:31:47.000000000 -0400
32555 +++ linux-2.6.32.43/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:46:57.000000000 -0400
32556 @@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
32557 unsigned char rv, gv, bv;
32558 static unsigned char *Y, *U, *V;
32560 + pax_track_stack();
32562 frame = usbvision->curFrame;
32563 imageSize = frame->frmwidth * frame->frmheight;
32564 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
32565 diff -urNp linux-2.6.32.43/drivers/media/video/v4l2-device.c linux-2.6.32.43/drivers/media/video/v4l2-device.c
32566 --- linux-2.6.32.43/drivers/media/video/v4l2-device.c 2011-03-27 14:31:47.000000000 -0400
32567 +++ linux-2.6.32.43/drivers/media/video/v4l2-device.c 2011-05-04 17:56:28.000000000 -0400
32568 @@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
32569 EXPORT_SYMBOL_GPL(v4l2_device_register);
32571 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
32572 - atomic_t *instance)
32573 + atomic_unchecked_t *instance)
32575 - int num = atomic_inc_return(instance) - 1;
32576 + int num = atomic_inc_return_unchecked(instance) - 1;
32577 int len = strlen(basename);
32579 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
32580 diff -urNp linux-2.6.32.43/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.43/drivers/media/video/videobuf-dma-sg.c
32581 --- linux-2.6.32.43/drivers/media/video/videobuf-dma-sg.c 2011-03-27 14:31:47.000000000 -0400
32582 +++ linux-2.6.32.43/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:46:57.000000000 -0400
32583 @@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
32585 struct videobuf_queue q;
32587 + pax_track_stack();
32589 /* Required to make generic handler to call __videobuf_alloc */
32590 q.int_ops = &sg_ops;
32592 diff -urNp linux-2.6.32.43/drivers/message/fusion/mptbase.c linux-2.6.32.43/drivers/message/fusion/mptbase.c
32593 --- linux-2.6.32.43/drivers/message/fusion/mptbase.c 2011-03-27 14:31:47.000000000 -0400
32594 +++ linux-2.6.32.43/drivers/message/fusion/mptbase.c 2011-04-17 15:56:46.000000000 -0400
32595 @@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
32596 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
32597 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
32599 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32600 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
32603 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
32604 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
32608 * Rounding UP to nearest 4-kB boundary here...
32610 diff -urNp linux-2.6.32.43/drivers/message/fusion/mptsas.c linux-2.6.32.43/drivers/message/fusion/mptsas.c
32611 --- linux-2.6.32.43/drivers/message/fusion/mptsas.c 2011-03-27 14:31:47.000000000 -0400
32612 +++ linux-2.6.32.43/drivers/message/fusion/mptsas.c 2011-04-17 15:56:46.000000000 -0400
32613 @@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
32617 +static inline void
32618 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
32620 + if (phy_info->port_details) {
32621 + phy_info->port_details->rphy = rphy;
32622 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
32623 + ioc->name, rphy));
32627 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
32628 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
32629 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
32630 + ioc->name, rphy, rphy->dev.release));
32636 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
32637 @@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
32641 -static inline void
32642 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
32644 - if (phy_info->port_details) {
32645 - phy_info->port_details->rphy = rphy;
32646 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
32647 - ioc->name, rphy));
32651 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
32652 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
32653 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
32654 - ioc->name, rphy, rphy->dev.release));
32658 static inline struct sas_port *
32659 mptsas_get_port(struct mptsas_phyinfo *phy_info)
32661 diff -urNp linux-2.6.32.43/drivers/message/fusion/mptscsih.c linux-2.6.32.43/drivers/message/fusion/mptscsih.c
32662 --- linux-2.6.32.43/drivers/message/fusion/mptscsih.c 2011-03-27 14:31:47.000000000 -0400
32663 +++ linux-2.6.32.43/drivers/message/fusion/mptscsih.c 2011-04-17 15:56:46.000000000 -0400
32664 @@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
32666 h = shost_priv(SChost);
32669 - if (h->info_kbuf == NULL)
32670 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
32671 - return h->info_kbuf;
32672 - h->info_kbuf[0] = '\0';
32676 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
32677 - h->info_kbuf[size-1] = '\0';
32679 + if (h->info_kbuf == NULL)
32680 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
32681 + return h->info_kbuf;
32682 + h->info_kbuf[0] = '\0';
32684 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
32685 + h->info_kbuf[size-1] = '\0';
32687 return h->info_kbuf;
32689 diff -urNp linux-2.6.32.43/drivers/message/i2o/i2o_config.c linux-2.6.32.43/drivers/message/i2o/i2o_config.c
32690 --- linux-2.6.32.43/drivers/message/i2o/i2o_config.c 2011-03-27 14:31:47.000000000 -0400
32691 +++ linux-2.6.32.43/drivers/message/i2o/i2o_config.c 2011-05-16 21:46:57.000000000 -0400
32692 @@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
32693 struct i2o_message *msg;
32696 + pax_track_stack();
32698 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
32701 diff -urNp linux-2.6.32.43/drivers/message/i2o/i2o_proc.c linux-2.6.32.43/drivers/message/i2o/i2o_proc.c
32702 --- linux-2.6.32.43/drivers/message/i2o/i2o_proc.c 2011-03-27 14:31:47.000000000 -0400
32703 +++ linux-2.6.32.43/drivers/message/i2o/i2o_proc.c 2011-04-17 15:56:46.000000000 -0400
32704 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
32705 "Array Controller Device"
32708 -static char *chtostr(u8 * chars, int n)
32712 - return strncat(tmp, (char *)chars, n);
32715 static int i2o_report_query_status(struct seq_file *seq, int block_status,
32718 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
32720 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
32721 seq_printf(seq, "%-#8x", ddm_table.module_id);
32722 - seq_printf(seq, "%-29s",
32723 - chtostr(ddm_table.module_name_version, 28));
32724 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
32725 seq_printf(seq, "%9d ", ddm_table.data_size);
32726 seq_printf(seq, "%8d", ddm_table.code_size);
32728 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
32730 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
32731 seq_printf(seq, "%-#8x", dst->module_id);
32732 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
32733 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
32734 + seq_printf(seq, "%-.28s", dst->module_name_version);
32735 + seq_printf(seq, "%-.8s", dst->date);
32736 seq_printf(seq, "%8d ", dst->module_size);
32737 seq_printf(seq, "%8d ", dst->mpb_size);
32738 seq_printf(seq, "0x%04x", dst->module_flags);
32739 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
32740 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
32741 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
32742 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
32743 - seq_printf(seq, "Vendor info : %s\n",
32744 - chtostr((u8 *) (work32 + 2), 16));
32745 - seq_printf(seq, "Product info : %s\n",
32746 - chtostr((u8 *) (work32 + 6), 16));
32747 - seq_printf(seq, "Description : %s\n",
32748 - chtostr((u8 *) (work32 + 10), 16));
32749 - seq_printf(seq, "Product rev. : %s\n",
32750 - chtostr((u8 *) (work32 + 14), 8));
32751 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
32752 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
32753 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
32754 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
32756 seq_printf(seq, "Serial number : ");
32757 print_serial_number(seq, (u8 *) (work32 + 16),
32758 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
32761 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
32762 - seq_printf(seq, "Module name : %s\n",
32763 - chtostr(result.module_name, 24));
32764 - seq_printf(seq, "Module revision : %s\n",
32765 - chtostr(result.module_rev, 8));
32766 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
32767 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
32769 seq_printf(seq, "Serial number : ");
32770 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
32771 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
32775 - seq_printf(seq, "Device name : %s\n",
32776 - chtostr(result.device_name, 64));
32777 - seq_printf(seq, "Service name : %s\n",
32778 - chtostr(result.service_name, 64));
32779 - seq_printf(seq, "Physical name : %s\n",
32780 - chtostr(result.physical_location, 64));
32781 - seq_printf(seq, "Instance number : %s\n",
32782 - chtostr(result.instance_number, 4));
32783 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
32784 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
32785 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
32786 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
32790 diff -urNp linux-2.6.32.43/drivers/message/i2o/iop.c linux-2.6.32.43/drivers/message/i2o/iop.c
32791 --- linux-2.6.32.43/drivers/message/i2o/iop.c 2011-03-27 14:31:47.000000000 -0400
32792 +++ linux-2.6.32.43/drivers/message/i2o/iop.c 2011-05-04 17:56:28.000000000 -0400
32793 @@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
32795 spin_lock_irqsave(&c->context_list_lock, flags);
32797 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
32798 - atomic_inc(&c->context_list_counter);
32799 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
32800 + atomic_inc_unchecked(&c->context_list_counter);
32802 - entry->context = atomic_read(&c->context_list_counter);
32803 + entry->context = atomic_read_unchecked(&c->context_list_counter);
32805 list_add(&entry->list, &c->context_list);
32807 @@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
32809 #if BITS_PER_LONG == 64
32810 spin_lock_init(&c->context_list_lock);
32811 - atomic_set(&c->context_list_counter, 0);
32812 + atomic_set_unchecked(&c->context_list_counter, 0);
32813 INIT_LIST_HEAD(&c->context_list);
32816 diff -urNp linux-2.6.32.43/drivers/mfd/wm8350-i2c.c linux-2.6.32.43/drivers/mfd/wm8350-i2c.c
32817 --- linux-2.6.32.43/drivers/mfd/wm8350-i2c.c 2011-03-27 14:31:47.000000000 -0400
32818 +++ linux-2.6.32.43/drivers/mfd/wm8350-i2c.c 2011-05-16 21:46:57.000000000 -0400
32819 @@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
32820 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
32823 + pax_track_stack();
32825 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
32828 diff -urNp linux-2.6.32.43/drivers/misc/kgdbts.c linux-2.6.32.43/drivers/misc/kgdbts.c
32829 --- linux-2.6.32.43/drivers/misc/kgdbts.c 2011-03-27 14:31:47.000000000 -0400
32830 +++ linux-2.6.32.43/drivers/misc/kgdbts.c 2011-04-17 15:56:46.000000000 -0400
32831 @@ -118,7 +118,7 @@
32833 #define MAX_CONFIG_LEN 40
32835 -static struct kgdb_io kgdbts_io_ops;
32836 +static const struct kgdb_io kgdbts_io_ops;
32837 static char get_buf[BUFMAX];
32838 static int get_buf_cnt;
32839 static char put_buf[BUFMAX];
32840 @@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
32841 module_put(THIS_MODULE);
32844 -static struct kgdb_io kgdbts_io_ops = {
32845 +static const struct kgdb_io kgdbts_io_ops = {
32847 .read_char = kgdbts_get_char,
32848 .write_char = kgdbts_put_char,
32849 diff -urNp linux-2.6.32.43/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.43/drivers/misc/sgi-gru/gruhandles.c
32850 --- linux-2.6.32.43/drivers/misc/sgi-gru/gruhandles.c 2011-03-27 14:31:47.000000000 -0400
32851 +++ linux-2.6.32.43/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:56:46.000000000 -0400
32852 @@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
32854 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
32856 - atomic_long_inc(&mcs_op_statistics[op].count);
32857 - atomic_long_add(clks, &mcs_op_statistics[op].total);
32858 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
32859 + atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
32860 if (mcs_op_statistics[op].max < clks)
32861 mcs_op_statistics[op].max = clks;
32863 diff -urNp linux-2.6.32.43/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.43/drivers/misc/sgi-gru/gruprocfs.c
32864 --- linux-2.6.32.43/drivers/misc/sgi-gru/gruprocfs.c 2011-03-27 14:31:47.000000000 -0400
32865 +++ linux-2.6.32.43/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:56:46.000000000 -0400
32868 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
32870 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
32871 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
32873 - unsigned long val = atomic_long_read(v);
32874 + unsigned long val = atomic_long_read_unchecked(v);
32877 seq_printf(s, "%16lu %s\n", val, id);
32878 @@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
32879 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
32881 for (op = 0; op < mcsop_last; op++) {
32882 - count = atomic_long_read(&mcs_op_statistics[op].count);
32883 - total = atomic_long_read(&mcs_op_statistics[op].total);
32884 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
32885 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
32886 max = mcs_op_statistics[op].max;
32887 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
32888 count ? total / count : 0, max);
32889 diff -urNp linux-2.6.32.43/drivers/misc/sgi-gru/grutables.h linux-2.6.32.43/drivers/misc/sgi-gru/grutables.h
32890 --- linux-2.6.32.43/drivers/misc/sgi-gru/grutables.h 2011-03-27 14:31:47.000000000 -0400
32891 +++ linux-2.6.32.43/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:56:46.000000000 -0400
32892 @@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
32895 struct gru_stats_s {
32896 - atomic_long_t vdata_alloc;
32897 - atomic_long_t vdata_free;
32898 - atomic_long_t gts_alloc;
32899 - atomic_long_t gts_free;
32900 - atomic_long_t vdata_double_alloc;
32901 - atomic_long_t gts_double_allocate;
32902 - atomic_long_t assign_context;
32903 - atomic_long_t assign_context_failed;
32904 - atomic_long_t free_context;
32905 - atomic_long_t load_user_context;
32906 - atomic_long_t load_kernel_context;
32907 - atomic_long_t lock_kernel_context;
32908 - atomic_long_t unlock_kernel_context;
32909 - atomic_long_t steal_user_context;
32910 - atomic_long_t steal_kernel_context;
32911 - atomic_long_t steal_context_failed;
32912 - atomic_long_t nopfn;
32913 - atomic_long_t break_cow;
32914 - atomic_long_t asid_new;
32915 - atomic_long_t asid_next;
32916 - atomic_long_t asid_wrap;
32917 - atomic_long_t asid_reuse;
32918 - atomic_long_t intr;
32919 - atomic_long_t intr_mm_lock_failed;
32920 - atomic_long_t call_os;
32921 - atomic_long_t call_os_offnode_reference;
32922 - atomic_long_t call_os_check_for_bug;
32923 - atomic_long_t call_os_wait_queue;
32924 - atomic_long_t user_flush_tlb;
32925 - atomic_long_t user_unload_context;
32926 - atomic_long_t user_exception;
32927 - atomic_long_t set_context_option;
32928 - atomic_long_t migrate_check;
32929 - atomic_long_t migrated_retarget;
32930 - atomic_long_t migrated_unload;
32931 - atomic_long_t migrated_unload_delay;
32932 - atomic_long_t migrated_nopfn_retarget;
32933 - atomic_long_t migrated_nopfn_unload;
32934 - atomic_long_t tlb_dropin;
32935 - atomic_long_t tlb_dropin_fail_no_asid;
32936 - atomic_long_t tlb_dropin_fail_upm;
32937 - atomic_long_t tlb_dropin_fail_invalid;
32938 - atomic_long_t tlb_dropin_fail_range_active;
32939 - atomic_long_t tlb_dropin_fail_idle;
32940 - atomic_long_t tlb_dropin_fail_fmm;
32941 - atomic_long_t tlb_dropin_fail_no_exception;
32942 - atomic_long_t tlb_dropin_fail_no_exception_war;
32943 - atomic_long_t tfh_stale_on_fault;
32944 - atomic_long_t mmu_invalidate_range;
32945 - atomic_long_t mmu_invalidate_page;
32946 - atomic_long_t mmu_clear_flush_young;
32947 - atomic_long_t flush_tlb;
32948 - atomic_long_t flush_tlb_gru;
32949 - atomic_long_t flush_tlb_gru_tgh;
32950 - atomic_long_t flush_tlb_gru_zero_asid;
32952 - atomic_long_t copy_gpa;
32954 - atomic_long_t mesq_receive;
32955 - atomic_long_t mesq_receive_none;
32956 - atomic_long_t mesq_send;
32957 - atomic_long_t mesq_send_failed;
32958 - atomic_long_t mesq_noop;
32959 - atomic_long_t mesq_send_unexpected_error;
32960 - atomic_long_t mesq_send_lb_overflow;
32961 - atomic_long_t mesq_send_qlimit_reached;
32962 - atomic_long_t mesq_send_amo_nacked;
32963 - atomic_long_t mesq_send_put_nacked;
32964 - atomic_long_t mesq_qf_not_full;
32965 - atomic_long_t mesq_qf_locked;
32966 - atomic_long_t mesq_qf_noop_not_full;
32967 - atomic_long_t mesq_qf_switch_head_failed;
32968 - atomic_long_t mesq_qf_unexpected_error;
32969 - atomic_long_t mesq_noop_unexpected_error;
32970 - atomic_long_t mesq_noop_lb_overflow;
32971 - atomic_long_t mesq_noop_qlimit_reached;
32972 - atomic_long_t mesq_noop_amo_nacked;
32973 - atomic_long_t mesq_noop_put_nacked;
32974 + atomic_long_unchecked_t vdata_alloc;
32975 + atomic_long_unchecked_t vdata_free;
32976 + atomic_long_unchecked_t gts_alloc;
32977 + atomic_long_unchecked_t gts_free;
32978 + atomic_long_unchecked_t vdata_double_alloc;
32979 + atomic_long_unchecked_t gts_double_allocate;
32980 + atomic_long_unchecked_t assign_context;
32981 + atomic_long_unchecked_t assign_context_failed;
32982 + atomic_long_unchecked_t free_context;
32983 + atomic_long_unchecked_t load_user_context;
32984 + atomic_long_unchecked_t load_kernel_context;
32985 + atomic_long_unchecked_t lock_kernel_context;
32986 + atomic_long_unchecked_t unlock_kernel_context;
32987 + atomic_long_unchecked_t steal_user_context;
32988 + atomic_long_unchecked_t steal_kernel_context;
32989 + atomic_long_unchecked_t steal_context_failed;
32990 + atomic_long_unchecked_t nopfn;
32991 + atomic_long_unchecked_t break_cow;
32992 + atomic_long_unchecked_t asid_new;
32993 + atomic_long_unchecked_t asid_next;
32994 + atomic_long_unchecked_t asid_wrap;
32995 + atomic_long_unchecked_t asid_reuse;
32996 + atomic_long_unchecked_t intr;
32997 + atomic_long_unchecked_t intr_mm_lock_failed;
32998 + atomic_long_unchecked_t call_os;
32999 + atomic_long_unchecked_t call_os_offnode_reference;
33000 + atomic_long_unchecked_t call_os_check_for_bug;
33001 + atomic_long_unchecked_t call_os_wait_queue;
33002 + atomic_long_unchecked_t user_flush_tlb;
33003 + atomic_long_unchecked_t user_unload_context;
33004 + atomic_long_unchecked_t user_exception;
33005 + atomic_long_unchecked_t set_context_option;
33006 + atomic_long_unchecked_t migrate_check;
33007 + atomic_long_unchecked_t migrated_retarget;
33008 + atomic_long_unchecked_t migrated_unload;
33009 + atomic_long_unchecked_t migrated_unload_delay;
33010 + atomic_long_unchecked_t migrated_nopfn_retarget;
33011 + atomic_long_unchecked_t migrated_nopfn_unload;
33012 + atomic_long_unchecked_t tlb_dropin;
33013 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
33014 + atomic_long_unchecked_t tlb_dropin_fail_upm;
33015 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
33016 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
33017 + atomic_long_unchecked_t tlb_dropin_fail_idle;
33018 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
33019 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
33020 + atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
33021 + atomic_long_unchecked_t tfh_stale_on_fault;
33022 + atomic_long_unchecked_t mmu_invalidate_range;
33023 + atomic_long_unchecked_t mmu_invalidate_page;
33024 + atomic_long_unchecked_t mmu_clear_flush_young;
33025 + atomic_long_unchecked_t flush_tlb;
33026 + atomic_long_unchecked_t flush_tlb_gru;
33027 + atomic_long_unchecked_t flush_tlb_gru_tgh;
33028 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
33030 + atomic_long_unchecked_t copy_gpa;
33032 + atomic_long_unchecked_t mesq_receive;
33033 + atomic_long_unchecked_t mesq_receive_none;
33034 + atomic_long_unchecked_t mesq_send;
33035 + atomic_long_unchecked_t mesq_send_failed;
33036 + atomic_long_unchecked_t mesq_noop;
33037 + atomic_long_unchecked_t mesq_send_unexpected_error;
33038 + atomic_long_unchecked_t mesq_send_lb_overflow;
33039 + atomic_long_unchecked_t mesq_send_qlimit_reached;
33040 + atomic_long_unchecked_t mesq_send_amo_nacked;
33041 + atomic_long_unchecked_t mesq_send_put_nacked;
33042 + atomic_long_unchecked_t mesq_qf_not_full;
33043 + atomic_long_unchecked_t mesq_qf_locked;
33044 + atomic_long_unchecked_t mesq_qf_noop_not_full;
33045 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
33046 + atomic_long_unchecked_t mesq_qf_unexpected_error;
33047 + atomic_long_unchecked_t mesq_noop_unexpected_error;
33048 + atomic_long_unchecked_t mesq_noop_lb_overflow;
33049 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
33050 + atomic_long_unchecked_t mesq_noop_amo_nacked;
33051 + atomic_long_unchecked_t mesq_noop_put_nacked;
33055 @@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
33056 cchop_deallocate, tghop_invalidate, mcsop_last};
33058 struct mcs_op_statistic {
33059 - atomic_long_t count;
33060 - atomic_long_t total;
33061 + atomic_long_unchecked_t count;
33062 + atomic_long_unchecked_t total;
33066 @@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
33068 #define STAT(id) do { \
33069 if (gru_options & OPT_STATS) \
33070 - atomic_long_inc(&gru_stats.id); \
33071 + atomic_long_inc_unchecked(&gru_stats.id); \
33074 #ifdef CONFIG_SGI_GRU_DEBUG
33075 diff -urNp linux-2.6.32.43/drivers/misc/sgi-xp/xpc.h linux-2.6.32.43/drivers/misc/sgi-xp/xpc.h
33076 --- linux-2.6.32.43/drivers/misc/sgi-xp/xpc.h 2011-03-27 14:31:47.000000000 -0400
33077 +++ linux-2.6.32.43/drivers/misc/sgi-xp/xpc.h 2011-08-05 20:33:55.000000000 -0400
33078 @@ -876,7 +876,7 @@ extern struct xpc_registration xpc_regis
33079 /* found in xpc_main.c */
33080 extern struct device *xpc_part;
33081 extern struct device *xpc_chan;
33082 -extern struct xpc_arch_operations xpc_arch_ops;
33083 +extern const struct xpc_arch_operations xpc_arch_ops;
33084 extern int xpc_disengage_timelimit;
33085 extern int xpc_disengage_timedout;
33086 extern int xpc_activate_IRQ_rcvd;
33087 diff -urNp linux-2.6.32.43/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.43/drivers/misc/sgi-xp/xpc_main.c
33088 --- linux-2.6.32.43/drivers/misc/sgi-xp/xpc_main.c 2011-03-27 14:31:47.000000000 -0400
33089 +++ linux-2.6.32.43/drivers/misc/sgi-xp/xpc_main.c 2011-08-05 20:33:55.000000000 -0400
33090 @@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
33091 .notifier_call = xpc_system_die,
33094 -struct xpc_arch_operations xpc_arch_ops;
33095 +const struct xpc_arch_operations xpc_arch_ops;
33098 * Timer function to enforce the timelimit on the partition disengage.
33099 diff -urNp linux-2.6.32.43/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.43/drivers/misc/sgi-xp/xpc_sn2.c
33100 --- linux-2.6.32.43/drivers/misc/sgi-xp/xpc_sn2.c 2011-03-27 14:31:47.000000000 -0400
33101 +++ linux-2.6.32.43/drivers/misc/sgi-xp/xpc_sn2.c 2011-08-05 20:33:55.000000000 -0400
33102 @@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
33103 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
33106 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
33107 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
33108 .setup_partitions = xpc_setup_partitions_sn2,
33109 .teardown_partitions = xpc_teardown_partitions_sn2,
33110 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
33111 @@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
33115 - xpc_arch_ops = xpc_arch_ops_sn2;
33116 + pax_open_kernel();
33117 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
33118 + pax_close_kernel();
33120 if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
33121 dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
33122 diff -urNp linux-2.6.32.43/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.43/drivers/misc/sgi-xp/xpc_uv.c
33123 --- linux-2.6.32.43/drivers/misc/sgi-xp/xpc_uv.c 2011-03-27 14:31:47.000000000 -0400
33124 +++ linux-2.6.32.43/drivers/misc/sgi-xp/xpc_uv.c 2011-08-05 20:33:55.000000000 -0400
33125 @@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
33126 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
33129 -static struct xpc_arch_operations xpc_arch_ops_uv = {
33130 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
33131 .setup_partitions = xpc_setup_partitions_uv,
33132 .teardown_partitions = xpc_teardown_partitions_uv,
33133 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
33134 @@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
33138 - xpc_arch_ops = xpc_arch_ops_uv;
33139 + pax_open_kernel();
33140 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
33141 + pax_close_kernel();
33143 if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
33144 dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
33145 diff -urNp linux-2.6.32.43/drivers/misc/sgi-xp/xp.h linux-2.6.32.43/drivers/misc/sgi-xp/xp.h
33146 --- linux-2.6.32.43/drivers/misc/sgi-xp/xp.h 2011-03-27 14:31:47.000000000 -0400
33147 +++ linux-2.6.32.43/drivers/misc/sgi-xp/xp.h 2011-08-05 20:33:55.000000000 -0400
33148 @@ -289,7 +289,7 @@ struct xpc_interface {
33149 xpc_notify_func, void *);
33150 void (*received) (short, int, void *);
33151 enum xp_retval (*partid_to_nasids) (short, void *);
33155 extern struct xpc_interface xpc_interface;
33157 diff -urNp linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0001.c
33158 --- linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-27 14:31:47.000000000 -0400
33159 +++ linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:46:57.000000000 -0400
33160 @@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
33161 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
33162 unsigned long timeo = jiffies + HZ;
33164 + pax_track_stack();
33166 /* Prevent setting state FL_SYNCING for chip in suspended state. */
33167 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
33169 @@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
33170 unsigned long initial_adr;
33171 int initial_len = len;
33173 + pax_track_stack();
33175 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
33176 adr += chip->start;
33178 @@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
33182 + pax_track_stack();
33184 adr += chip->start;
33187 diff -urNp linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0020.c
33188 --- linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-27 14:31:47.000000000 -0400
33189 +++ linux-2.6.32.43/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:46:57.000000000 -0400
33190 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
33191 unsigned long cmd_addr;
33192 struct cfi_private *cfi = map->fldrv_priv;
33194 + pax_track_stack();
33196 adr += chip->start;
33198 /* Ensure cmd read/writes are aligned. */
33199 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
33200 DECLARE_WAITQUEUE(wait, current);
33203 + pax_track_stack();
33205 /* M58LW064A requires bus alignment for buffer wriets -- saw */
33206 if (adr & (map_bankwidth(map)-1))
33208 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
33209 DECLARE_WAITQUEUE(wait, current);
33212 + pax_track_stack();
33214 adr += chip->start;
33216 /* Let's determine this according to the interleave only once */
33217 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
33218 unsigned long timeo = jiffies + HZ;
33219 DECLARE_WAITQUEUE(wait, current);
33221 + pax_track_stack();
33223 adr += chip->start;
33225 /* Let's determine this according to the interleave only once */
33226 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
33227 unsigned long timeo = jiffies + HZ;
33228 DECLARE_WAITQUEUE(wait, current);
33230 + pax_track_stack();
33232 adr += chip->start;
33234 /* Let's determine this according to the interleave only once */
33235 diff -urNp linux-2.6.32.43/drivers/mtd/devices/doc2000.c linux-2.6.32.43/drivers/mtd/devices/doc2000.c
33236 --- linux-2.6.32.43/drivers/mtd/devices/doc2000.c 2011-03-27 14:31:47.000000000 -0400
33237 +++ linux-2.6.32.43/drivers/mtd/devices/doc2000.c 2011-04-17 15:56:46.000000000 -0400
33238 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
33240 /* The ECC will not be calculated correctly if less than 512 is written */
33242 - if (len != 0x200 && eccbuf)
33243 + if (len != 0x200)
33244 printk(KERN_WARNING
33245 "ECC needs a full sector write (adr: %lx size %lx)\n",
33246 (long) to, (long) len);
33247 diff -urNp linux-2.6.32.43/drivers/mtd/devices/doc2001.c linux-2.6.32.43/drivers/mtd/devices/doc2001.c
33248 --- linux-2.6.32.43/drivers/mtd/devices/doc2001.c 2011-03-27 14:31:47.000000000 -0400
33249 +++ linux-2.6.32.43/drivers/mtd/devices/doc2001.c 2011-04-17 15:56:46.000000000 -0400
33250 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
33251 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
33253 /* Don't allow read past end of device */
33254 - if (from >= this->totlen)
33255 + if (from >= this->totlen || !len)
33258 /* Don't allow a single read to cross a 512-byte block boundary */
33259 diff -urNp linux-2.6.32.43/drivers/mtd/ftl.c linux-2.6.32.43/drivers/mtd/ftl.c
33260 --- linux-2.6.32.43/drivers/mtd/ftl.c 2011-03-27 14:31:47.000000000 -0400
33261 +++ linux-2.6.32.43/drivers/mtd/ftl.c 2011-05-16 21:46:57.000000000 -0400
33262 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
33264 uint16_t srcunitswap = cpu_to_le16(srcunit);
33266 + pax_track_stack();
33268 eun = &part->EUNInfo[srcunit];
33269 xfer = &part->XferInfo[xferunit];
33270 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
33271 diff -urNp linux-2.6.32.43/drivers/mtd/inftlcore.c linux-2.6.32.43/drivers/mtd/inftlcore.c
33272 --- linux-2.6.32.43/drivers/mtd/inftlcore.c 2011-03-27 14:31:47.000000000 -0400
33273 +++ linux-2.6.32.43/drivers/mtd/inftlcore.c 2011-05-16 21:46:57.000000000 -0400
33274 @@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
33275 struct inftl_oob oob;
33278 + pax_track_stack();
33280 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
33281 "pending=%d)\n", inftl, thisVUC, pendingblock);
33283 diff -urNp linux-2.6.32.43/drivers/mtd/inftlmount.c linux-2.6.32.43/drivers/mtd/inftlmount.c
33284 --- linux-2.6.32.43/drivers/mtd/inftlmount.c 2011-03-27 14:31:47.000000000 -0400
33285 +++ linux-2.6.32.43/drivers/mtd/inftlmount.c 2011-05-16 21:46:57.000000000 -0400
33286 @@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
33287 struct INFTLPartition *ip;
33290 + pax_track_stack();
33292 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
33295 diff -urNp linux-2.6.32.43/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.43/drivers/mtd/lpddr/qinfo_probe.c
33296 --- linux-2.6.32.43/drivers/mtd/lpddr/qinfo_probe.c 2011-03-27 14:31:47.000000000 -0400
33297 +++ linux-2.6.32.43/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:46:57.000000000 -0400
33298 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
33300 map_word pfow_val[4];
33302 + pax_track_stack();
33304 /* Check identification string */
33305 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
33306 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
33307 diff -urNp linux-2.6.32.43/drivers/mtd/mtdchar.c linux-2.6.32.43/drivers/mtd/mtdchar.c
33308 --- linux-2.6.32.43/drivers/mtd/mtdchar.c 2011-03-27 14:31:47.000000000 -0400
33309 +++ linux-2.6.32.43/drivers/mtd/mtdchar.c 2011-05-16 21:46:57.000000000 -0400
33310 @@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
33312 struct mtd_info_user info;
33314 + pax_track_stack();
33316 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
33318 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
33319 diff -urNp linux-2.6.32.43/drivers/mtd/nftlcore.c linux-2.6.32.43/drivers/mtd/nftlcore.c
33320 --- linux-2.6.32.43/drivers/mtd/nftlcore.c 2011-03-27 14:31:47.000000000 -0400
33321 +++ linux-2.6.32.43/drivers/mtd/nftlcore.c 2011-05-16 21:46:57.000000000 -0400
33322 @@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
33326 + pax_track_stack();
33328 memset(BlockMap, 0xff, sizeof(BlockMap));
33329 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
33331 diff -urNp linux-2.6.32.43/drivers/mtd/nftlmount.c linux-2.6.32.43/drivers/mtd/nftlmount.c
33332 --- linux-2.6.32.43/drivers/mtd/nftlmount.c 2011-03-27 14:31:47.000000000 -0400
33333 +++ linux-2.6.32.43/drivers/mtd/nftlmount.c 2011-05-18 20:09:37.000000000 -0400
33335 #include <asm/errno.h>
33336 #include <linux/delay.h>
33337 #include <linux/slab.h>
33338 +#include <linux/sched.h>
33339 #include <linux/mtd/mtd.h>
33340 #include <linux/mtd/nand.h>
33341 #include <linux/mtd/nftl.h>
33342 @@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
33343 struct mtd_info *mtd = nftl->mbd.mtd;
33346 + pax_track_stack();
33348 /* Assume logical EraseSize == physical erasesize for starting the scan.
33349 We'll sort it out later if we find a MediaHeader which says otherwise */
33350 /* Actually, we won't. The new DiskOnChip driver has already scanned
33351 diff -urNp linux-2.6.32.43/drivers/mtd/ubi/build.c linux-2.6.32.43/drivers/mtd/ubi/build.c
33352 --- linux-2.6.32.43/drivers/mtd/ubi/build.c 2011-03-27 14:31:47.000000000 -0400
33353 +++ linux-2.6.32.43/drivers/mtd/ubi/build.c 2011-04-17 15:56:46.000000000 -0400
33354 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
33355 static int __init bytes_str_to_int(const char *str)
33358 - unsigned long result;
33359 + unsigned long result, scale = 1;
33361 result = simple_strtoul(str, &endp, 0);
33362 if (str == endp || result >= INT_MAX) {
33363 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
33375 if (endp[1] == 'i' && endp[2] == 'B')
33378 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
33383 + if ((intoverflow_t)result*scale >= INT_MAX) {
33384 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
33389 + return result*scale;
33393 diff -urNp linux-2.6.32.43/drivers/net/bnx2.c linux-2.6.32.43/drivers/net/bnx2.c
33394 --- linux-2.6.32.43/drivers/net/bnx2.c 2011-03-27 14:31:47.000000000 -0400
33395 +++ linux-2.6.32.43/drivers/net/bnx2.c 2011-05-16 21:46:57.000000000 -0400
33396 @@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
33400 + pax_track_stack();
33402 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
33403 goto test_nvram_done;
33405 diff -urNp linux-2.6.32.43/drivers/net/cxgb3/l2t.h linux-2.6.32.43/drivers/net/cxgb3/l2t.h
33406 --- linux-2.6.32.43/drivers/net/cxgb3/l2t.h 2011-03-27 14:31:47.000000000 -0400
33407 +++ linux-2.6.32.43/drivers/net/cxgb3/l2t.h 2011-08-05 20:33:55.000000000 -0400
33408 @@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
33410 struct l2t_skb_cb {
33411 arp_failure_handler_func arp_failure_handler;
33415 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
33417 diff -urNp linux-2.6.32.43/drivers/net/cxgb3/t3_hw.c linux-2.6.32.43/drivers/net/cxgb3/t3_hw.c
33418 --- linux-2.6.32.43/drivers/net/cxgb3/t3_hw.c 2011-03-27 14:31:47.000000000 -0400
33419 +++ linux-2.6.32.43/drivers/net/cxgb3/t3_hw.c 2011-05-16 21:46:57.000000000 -0400
33420 @@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
33424 + pax_track_stack();
33427 * Card information is normally at VPD_BASE but some early cards had
33429 diff -urNp linux-2.6.32.43/drivers/net/e1000e/82571.c linux-2.6.32.43/drivers/net/e1000e/82571.c
33430 --- linux-2.6.32.43/drivers/net/e1000e/82571.c 2011-03-27 14:31:47.000000000 -0400
33431 +++ linux-2.6.32.43/drivers/net/e1000e/82571.c 2011-08-05 20:33:55.000000000 -0400
33432 @@ -245,22 +245,22 @@ static s32 e1000_init_mac_params_82571(s
33433 /* check for link */
33434 switch (hw->phy.media_type) {
33435 case e1000_media_type_copper:
33436 - func->setup_physical_interface = e1000_setup_copper_link_82571;
33437 - func->check_for_link = e1000e_check_for_copper_link;
33438 - func->get_link_up_info = e1000e_get_speed_and_duplex_copper;
33439 + *(void **)&func->setup_physical_interface = e1000_setup_copper_link_82571;
33440 + *(void **)&func->check_for_link = e1000e_check_for_copper_link;
33441 + *(void **)&func->get_link_up_info = e1000e_get_speed_and_duplex_copper;
33443 case e1000_media_type_fiber:
33444 - func->setup_physical_interface =
33445 + *(void **)&func->setup_physical_interface =
33446 e1000_setup_fiber_serdes_link_82571;
33447 - func->check_for_link = e1000e_check_for_fiber_link;
33448 - func->get_link_up_info =
33449 + *(void **)&func->check_for_link = e1000e_check_for_fiber_link;
33450 + *(void **)&func->get_link_up_info =
33451 e1000e_get_speed_and_duplex_fiber_serdes;
33453 case e1000_media_type_internal_serdes:
33454 - func->setup_physical_interface =
33455 + *(void **)&func->setup_physical_interface =
33456 e1000_setup_fiber_serdes_link_82571;
33457 - func->check_for_link = e1000_check_for_serdes_link_82571;
33458 - func->get_link_up_info =
33459 + *(void **)&func->check_for_link = e1000_check_for_serdes_link_82571;
33460 + *(void **)&func->get_link_up_info =
33461 e1000e_get_speed_and_duplex_fiber_serdes;
33464 @@ -271,12 +271,12 @@ static s32 e1000_init_mac_params_82571(s
33465 switch (hw->mac.type) {
33468 - func->check_mng_mode = e1000_check_mng_mode_82574;
33469 - func->led_on = e1000_led_on_82574;
33470 + *(void **)&func->check_mng_mode = e1000_check_mng_mode_82574;
33471 + *(void **)&func->led_on = e1000_led_on_82574;
33474 - func->check_mng_mode = e1000e_check_mng_mode_generic;
33475 - func->led_on = e1000e_led_on_generic;
33476 + *(void **)&func->check_mng_mode = e1000e_check_mng_mode_generic;
33477 + *(void **)&func->led_on = e1000e_led_on_generic;
33481 @@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
33482 temp = er32(ICRXDMTC);
33485 -static struct e1000_mac_operations e82571_mac_ops = {
33486 +static const struct e1000_mac_operations e82571_mac_ops = {
33487 /* .check_mng_mode: mac type dependent */
33488 /* .check_for_link: media type dependent */
33489 .id_led_init = e1000e_id_led_init,
33490 @@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
33491 .setup_led = e1000e_setup_led_generic,
33494 -static struct e1000_phy_operations e82_phy_ops_igp = {
33495 +static const struct e1000_phy_operations e82_phy_ops_igp = {
33496 .acquire_phy = e1000_get_hw_semaphore_82571,
33497 .check_reset_block = e1000e_check_reset_block_generic,
33498 .commit_phy = NULL,
33499 @@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
33500 .cfg_on_link_up = NULL,
33503 -static struct e1000_phy_operations e82_phy_ops_m88 = {
33504 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
33505 .acquire_phy = e1000_get_hw_semaphore_82571,
33506 .check_reset_block = e1000e_check_reset_block_generic,
33507 .commit_phy = e1000e_phy_sw_reset,
33508 @@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
33509 .cfg_on_link_up = NULL,
33512 -static struct e1000_phy_operations e82_phy_ops_bm = {
33513 +static const struct e1000_phy_operations e82_phy_ops_bm = {
33514 .acquire_phy = e1000_get_hw_semaphore_82571,
33515 .check_reset_block = e1000e_check_reset_block_generic,
33516 .commit_phy = e1000e_phy_sw_reset,
33517 @@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
33518 .cfg_on_link_up = NULL,
33521 -static struct e1000_nvm_operations e82571_nvm_ops = {
33522 +static const struct e1000_nvm_operations e82571_nvm_ops = {
33523 .acquire_nvm = e1000_acquire_nvm_82571,
33524 .read_nvm = e1000e_read_nvm_eerd,
33525 .release_nvm = e1000_release_nvm_82571,
33526 diff -urNp linux-2.6.32.43/drivers/net/e1000e/e1000.h linux-2.6.32.43/drivers/net/e1000e/e1000.h
33527 --- linux-2.6.32.43/drivers/net/e1000e/e1000.h 2011-03-27 14:31:47.000000000 -0400
33528 +++ linux-2.6.32.43/drivers/net/e1000e/e1000.h 2011-04-17 15:56:46.000000000 -0400
33529 @@ -375,9 +375,9 @@ struct e1000_info {
33531 u32 max_hw_frame_size;
33532 s32 (*get_variants)(struct e1000_adapter *);
33533 - struct e1000_mac_operations *mac_ops;
33534 - struct e1000_phy_operations *phy_ops;
33535 - struct e1000_nvm_operations *nvm_ops;
33536 + const struct e1000_mac_operations *mac_ops;
33537 + const struct e1000_phy_operations *phy_ops;
33538 + const struct e1000_nvm_operations *nvm_ops;
33541 /* hardware capability, feature, and workaround flags */
33542 diff -urNp linux-2.6.32.43/drivers/net/e1000e/es2lan.c linux-2.6.32.43/drivers/net/e1000e/es2lan.c
33543 --- linux-2.6.32.43/drivers/net/e1000e/es2lan.c 2011-03-27 14:31:47.000000000 -0400
33544 +++ linux-2.6.32.43/drivers/net/e1000e/es2lan.c 2011-08-05 20:33:55.000000000 -0400
33545 @@ -229,16 +229,16 @@ static s32 e1000_init_mac_params_80003es
33546 /* check for link */
33547 switch (hw->phy.media_type) {
33548 case e1000_media_type_copper:
33549 - func->setup_physical_interface = e1000_setup_copper_link_80003es2lan;
33550 - func->check_for_link = e1000e_check_for_copper_link;
33551 + *(void **)&func->setup_physical_interface = e1000_setup_copper_link_80003es2lan;
33552 + *(void **)&func->check_for_link = e1000e_check_for_copper_link;
33554 case e1000_media_type_fiber:
33555 - func->setup_physical_interface = e1000e_setup_fiber_serdes_link;
33556 - func->check_for_link = e1000e_check_for_fiber_link;
33557 + *(void **)&func->setup_physical_interface = e1000e_setup_fiber_serdes_link;
33558 + *(void **)&func->check_for_link = e1000e_check_for_fiber_link;
33560 case e1000_media_type_internal_serdes:
33561 - func->setup_physical_interface = e1000e_setup_fiber_serdes_link;
33562 - func->check_for_link = e1000e_check_for_serdes_link;
33563 + *(void **)&func->setup_physical_interface = e1000e_setup_fiber_serdes_link;
33564 + *(void **)&func->check_for_link = e1000e_check_for_serdes_link;
33567 return -E1000_ERR_CONFIG;
33568 @@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
33569 temp = er32(ICRXDMTC);
33572 -static struct e1000_mac_operations es2_mac_ops = {
33573 +static const struct e1000_mac_operations es2_mac_ops = {
33574 .id_led_init = e1000e_id_led_init,
33575 .check_mng_mode = e1000e_check_mng_mode_generic,
33576 /* check_for_link dependent on media type */
33577 @@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
33578 .setup_led = e1000e_setup_led_generic,
33581 -static struct e1000_phy_operations es2_phy_ops = {
33582 +static const struct e1000_phy_operations es2_phy_ops = {
33583 .acquire_phy = e1000_acquire_phy_80003es2lan,
33584 .check_reset_block = e1000e_check_reset_block_generic,
33585 .commit_phy = e1000e_phy_sw_reset,
33586 @@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
33587 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
33590 -static struct e1000_nvm_operations es2_nvm_ops = {
33591 +static const struct e1000_nvm_operations es2_nvm_ops = {
33592 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
33593 .read_nvm = e1000e_read_nvm_eerd,
33594 .release_nvm = e1000_release_nvm_80003es2lan,
33595 diff -urNp linux-2.6.32.43/drivers/net/e1000e/hw.h linux-2.6.32.43/drivers/net/e1000e/hw.h
33596 --- linux-2.6.32.43/drivers/net/e1000e/hw.h 2011-03-27 14:31:47.000000000 -0400
33597 +++ linux-2.6.32.43/drivers/net/e1000e/hw.h 2011-04-17 15:56:46.000000000 -0400
33598 @@ -756,34 +756,34 @@ struct e1000_mac_operations {
33600 /* Function pointers for the PHY. */
33601 struct e1000_phy_operations {
33602 - s32 (*acquire_phy)(struct e1000_hw *);
33603 - s32 (*check_polarity)(struct e1000_hw *);
33604 - s32 (*check_reset_block)(struct e1000_hw *);
33605 - s32 (*commit_phy)(struct e1000_hw *);
33606 - s32 (*force_speed_duplex)(struct e1000_hw *);
33607 - s32 (*get_cfg_done)(struct e1000_hw *hw);
33608 - s32 (*get_cable_length)(struct e1000_hw *);
33609 - s32 (*get_phy_info)(struct e1000_hw *);
33610 - s32 (*read_phy_reg)(struct e1000_hw *, u32, u16 *);
33611 - s32 (*read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
33612 - void (*release_phy)(struct e1000_hw *);
33613 - s32 (*reset_phy)(struct e1000_hw *);
33614 - s32 (*set_d0_lplu_state)(struct e1000_hw *, bool);
33615 - s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
33616 - s32 (*write_phy_reg)(struct e1000_hw *, u32, u16);
33617 - s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
33618 - s32 (*cfg_on_link_up)(struct e1000_hw *);
33619 + s32 (* acquire_phy)(struct e1000_hw *);
33620 + s32 (* check_polarity)(struct e1000_hw *);
33621 + s32 (* check_reset_block)(struct e1000_hw *);
33622 + s32 (* commit_phy)(struct e1000_hw *);
33623 + s32 (* force_speed_duplex)(struct e1000_hw *);
33624 + s32 (* get_cfg_done)(struct e1000_hw *hw);
33625 + s32 (* get_cable_length)(struct e1000_hw *);
33626 + s32 (* get_phy_info)(struct e1000_hw *);
33627 + s32 (* read_phy_reg)(struct e1000_hw *, u32, u16 *);
33628 + s32 (* read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
33629 + void (* release_phy)(struct e1000_hw *);
33630 + s32 (* reset_phy)(struct e1000_hw *);
33631 + s32 (* set_d0_lplu_state)(struct e1000_hw *, bool);
33632 + s32 (* set_d3_lplu_state)(struct e1000_hw *, bool);
33633 + s32 (* write_phy_reg)(struct e1000_hw *, u32, u16);
33634 + s32 (* write_phy_reg_locked)(struct e1000_hw *, u32, u16);
33635 + s32 (* cfg_on_link_up)(struct e1000_hw *);
33638 /* Function pointers for the NVM. */
33639 struct e1000_nvm_operations {
33640 - s32 (*acquire_nvm)(struct e1000_hw *);
33641 - s32 (*read_nvm)(struct e1000_hw *, u16, u16, u16 *);
33642 - void (*release_nvm)(struct e1000_hw *);
33643 - s32 (*update_nvm)(struct e1000_hw *);
33644 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
33645 - s32 (*validate_nvm)(struct e1000_hw *);
33646 - s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
33647 + s32 (* const acquire_nvm)(struct e1000_hw *);
33648 + s32 (* const read_nvm)(struct e1000_hw *, u16, u16, u16 *);
33649 + void (* const release_nvm)(struct e1000_hw *);
33650 + s32 (* const update_nvm)(struct e1000_hw *);
33651 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
33652 + s32 (* const validate_nvm)(struct e1000_hw *);
33653 + s32 (* const write_nvm)(struct e1000_hw *, u16, u16, u16 *);
33656 struct e1000_mac_info {
33657 diff -urNp linux-2.6.32.43/drivers/net/e1000e/ich8lan.c linux-2.6.32.43/drivers/net/e1000e/ich8lan.c
33658 --- linux-2.6.32.43/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:01.000000000 -0400
33659 +++ linux-2.6.32.43/drivers/net/e1000e/ich8lan.c 2011-08-05 20:33:55.000000000 -0400
33660 @@ -265,13 +265,13 @@ static s32 e1000_init_phy_params_pchlan(
33662 phy->reset_delay_us = 100;
33664 - phy->ops.check_polarity = e1000_check_polarity_ife_ich8lan;
33665 - phy->ops.read_phy_reg = e1000_read_phy_reg_hv;
33666 - phy->ops.read_phy_reg_locked = e1000_read_phy_reg_hv_locked;
33667 - phy->ops.set_d0_lplu_state = e1000_set_lplu_state_pchlan;
33668 - phy->ops.set_d3_lplu_state = e1000_set_lplu_state_pchlan;
33669 - phy->ops.write_phy_reg = e1000_write_phy_reg_hv;
33670 - phy->ops.write_phy_reg_locked = e1000_write_phy_reg_hv_locked;
33671 + *(void **)&phy->ops.check_polarity = e1000_check_polarity_ife_ich8lan;
33672 + *(void **)&phy->ops.read_phy_reg = e1000_read_phy_reg_hv;
33673 + *(void **)&phy->ops.read_phy_reg_locked = e1000_read_phy_reg_hv_locked;
33674 + *(void **)&phy->ops.set_d0_lplu_state = e1000_set_lplu_state_pchlan;
33675 + *(void **)&phy->ops.set_d3_lplu_state = e1000_set_lplu_state_pchlan;
33676 + *(void **)&phy->ops.write_phy_reg = e1000_write_phy_reg_hv;
33677 + *(void **)&phy->ops.write_phy_reg_locked = e1000_write_phy_reg_hv_locked;
33678 phy->autoneg_mask = AUTONEG_ADVERTISE_SPEED_DEFAULT;
33681 @@ -289,12 +289,12 @@ static s32 e1000_init_phy_params_pchlan(
33682 phy->type = e1000e_get_phy_type_from_id(phy->id);
33684 if (phy->type == e1000_phy_82577) {
33685 - phy->ops.check_polarity = e1000_check_polarity_82577;
33686 - phy->ops.force_speed_duplex =
33687 + *(void **)&phy->ops.check_polarity = e1000_check_polarity_82577;
33688 + *(void **)&phy->ops.force_speed_duplex =
33689 e1000_phy_force_speed_duplex_82577;
33690 - phy->ops.get_cable_length = e1000_get_cable_length_82577;
33691 - phy->ops.get_phy_info = e1000_get_phy_info_82577;
33692 - phy->ops.commit_phy = e1000e_phy_sw_reset;
33693 + *(void **)&phy->ops.get_cable_length = e1000_get_cable_length_82577;
33694 + *(void **)&phy->ops.get_phy_info = e1000_get_phy_info_82577;
33695 + *(void **)&phy->ops.commit_phy = e1000e_phy_sw_reset;
33699 @@ -322,8 +322,8 @@ static s32 e1000_init_phy_params_ich8lan
33701 ret_val = e1000e_determine_phy_address(hw);
33703 - hw->phy.ops.write_phy_reg = e1000e_write_phy_reg_bm;
33704 - hw->phy.ops.read_phy_reg = e1000e_read_phy_reg_bm;
33705 + *(void **)&hw->phy.ops.write_phy_reg = e1000e_write_phy_reg_bm;
33706 + *(void **)&hw->phy.ops.read_phy_reg = e1000e_read_phy_reg_bm;
33707 ret_val = e1000e_determine_phy_address(hw);
33710 @@ -343,8 +343,8 @@ static s32 e1000_init_phy_params_ich8lan
33711 case IGP03E1000_E_PHY_ID:
33712 phy->type = e1000_phy_igp_3;
33713 phy->autoneg_mask = AUTONEG_ADVERTISE_SPEED_DEFAULT;
33714 - phy->ops.read_phy_reg_locked = e1000e_read_phy_reg_igp_locked;
33715 - phy->ops.write_phy_reg_locked = e1000e_write_phy_reg_igp_locked;
33716 + *(void **)&phy->ops.read_phy_reg_locked = e1000e_read_phy_reg_igp_locked;
33717 + *(void **)&phy->ops.write_phy_reg_locked = e1000e_write_phy_reg_igp_locked;
33720 case IFE_PLUS_E_PHY_ID:
33721 @@ -355,16 +355,16 @@ static s32 e1000_init_phy_params_ich8lan
33722 case BME1000_E_PHY_ID:
33723 phy->type = e1000_phy_bm;
33724 phy->autoneg_mask = AUTONEG_ADVERTISE_SPEED_DEFAULT;
33725 - hw->phy.ops.read_phy_reg = e1000e_read_phy_reg_bm;
33726 - hw->phy.ops.write_phy_reg = e1000e_write_phy_reg_bm;
33727 - hw->phy.ops.commit_phy = e1000e_phy_sw_reset;
33728 + *(void **)&hw->phy.ops.read_phy_reg = e1000e_read_phy_reg_bm;
33729 + *(void **)&hw->phy.ops.write_phy_reg = e1000e_write_phy_reg_bm;
33730 + *(void **)&hw->phy.ops.commit_phy = e1000e_phy_sw_reset;
33733 return -E1000_ERR_PHY;
33737 - phy->ops.check_polarity = e1000_check_polarity_ife_ich8lan;
33738 + *(void **)&phy->ops.check_polarity = e1000_check_polarity_ife_ich8lan;
33742 @@ -455,25 +455,25 @@ static s32 e1000_init_mac_params_ich8lan
33743 case e1000_ich9lan:
33744 case e1000_ich10lan:
33746 - mac->ops.id_led_init = e1000e_id_led_init;
33747 + *(void **)&mac->ops.id_led_init = e1000e_id_led_init;
33749 - mac->ops.setup_led = e1000e_setup_led_generic;
33750 + *(void **)&mac->ops.setup_led = e1000e_setup_led_generic;
33752 - mac->ops.cleanup_led = e1000_cleanup_led_ich8lan;
33753 + *(void **)&mac->ops.cleanup_led = e1000_cleanup_led_ich8lan;
33754 /* turn on/off LED */
33755 - mac->ops.led_on = e1000_led_on_ich8lan;
33756 - mac->ops.led_off = e1000_led_off_ich8lan;
33757 + *(void **)&mac->ops.led_on = e1000_led_on_ich8lan;
33758 + *(void **)&mac->ops.led_off = e1000_led_off_ich8lan;
33762 - mac->ops.id_led_init = e1000_id_led_init_pchlan;
33763 + *(void **)&mac->ops.id_led_init = e1000_id_led_init_pchlan;
33765 - mac->ops.setup_led = e1000_setup_led_pchlan;
33766 + *(void **)&mac->ops.setup_led = e1000_setup_led_pchlan;
33768 - mac->ops.cleanup_led = e1000_cleanup_led_pchlan;
33769 + *(void **)&mac->ops.cleanup_led = e1000_cleanup_led_pchlan;
33770 /* turn on/off LED */
33771 - mac->ops.led_on = e1000_led_on_pchlan;
33772 - mac->ops.led_off = e1000_led_off_pchlan;
33773 + *(void **)&mac->ops.led_on = e1000_led_on_pchlan;
33774 + *(void **)&mac->ops.led_off = e1000_led_off_pchlan;
33778 @@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
33782 -static struct e1000_mac_operations ich8_mac_ops = {
33783 +static const struct e1000_mac_operations ich8_mac_ops = {
33784 .id_led_init = e1000e_id_led_init,
33785 .check_mng_mode = e1000_check_mng_mode_ich8lan,
33786 .check_for_link = e1000_check_for_copper_link_ich8lan,
33787 @@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
33788 /* id_led_init dependent on mac type */
33791 -static struct e1000_phy_operations ich8_phy_ops = {
33792 +static const struct e1000_phy_operations ich8_phy_ops = {
33793 .acquire_phy = e1000_acquire_swflag_ich8lan,
33794 .check_reset_block = e1000_check_reset_block_ich8lan,
33795 .commit_phy = NULL,
33796 @@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
33797 .write_phy_reg = e1000e_write_phy_reg_igp,
33800 -static struct e1000_nvm_operations ich8_nvm_ops = {
33801 +static const struct e1000_nvm_operations ich8_nvm_ops = {
33802 .acquire_nvm = e1000_acquire_nvm_ich8lan,
33803 .read_nvm = e1000_read_nvm_ich8lan,
33804 .release_nvm = e1000_release_nvm_ich8lan,
33805 diff -urNp linux-2.6.32.43/drivers/net/e1000e/netdev.c linux-2.6.32.43/drivers/net/e1000e/netdev.c
33806 --- linux-2.6.32.43/drivers/net/e1000e/netdev.c 2011-03-27 14:31:47.000000000 -0400
33807 +++ linux-2.6.32.43/drivers/net/e1000e/netdev.c 2011-08-05 20:33:55.000000000 -0400
33808 @@ -5071,9 +5071,9 @@ static int __devinit e1000_probe(struct
33812 - memcpy(&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
33813 - memcpy(&hw->nvm.ops, ei->nvm_ops, sizeof(hw->nvm.ops));
33814 - memcpy(&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
33815 + memcpy((void *)&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
33816 + memcpy((void *)&hw->nvm.ops, ei->nvm_ops, sizeof(hw->nvm.ops));
33817 + memcpy((void *)&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
33819 err = ei->get_variants(adapter);
33821 diff -urNp linux-2.6.32.43/drivers/net/hamradio/6pack.c linux-2.6.32.43/drivers/net/hamradio/6pack.c
33822 --- linux-2.6.32.43/drivers/net/hamradio/6pack.c 2011-07-13 17:23:04.000000000 -0400
33823 +++ linux-2.6.32.43/drivers/net/hamradio/6pack.c 2011-07-13 17:23:18.000000000 -0400
33824 @@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
33825 unsigned char buf[512];
33828 + pax_track_stack();
33833 diff -urNp linux-2.6.32.43/drivers/net/ibmveth.c linux-2.6.32.43/drivers/net/ibmveth.c
33834 --- linux-2.6.32.43/drivers/net/ibmveth.c 2011-03-27 14:31:47.000000000 -0400
33835 +++ linux-2.6.32.43/drivers/net/ibmveth.c 2011-04-17 15:56:46.000000000 -0400
33836 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
33840 -static struct sysfs_ops veth_pool_ops = {
33841 +static const struct sysfs_ops veth_pool_ops = {
33842 .show = veth_pool_show,
33843 .store = veth_pool_store,
33845 diff -urNp linux-2.6.32.43/drivers/net/igb/e1000_82575.c linux-2.6.32.43/drivers/net/igb/e1000_82575.c
33846 --- linux-2.6.32.43/drivers/net/igb/e1000_82575.c 2011-03-27 14:31:47.000000000 -0400
33847 +++ linux-2.6.32.43/drivers/net/igb/e1000_82575.c 2011-08-05 20:33:55.000000000 -0400
33848 @@ -135,7 +135,7 @@ static s32 igb_get_invariants_82575(stru
33851 /* physical interface link setup */
33852 - mac->ops.setup_physical_interface =
33853 + *(void **)&mac->ops.setup_physical_interface =
33854 (hw->phy.media_type == e1000_media_type_copper)
33855 ? igb_setup_copper_link_82575
33856 : igb_setup_serdes_link_82575;
33857 @@ -191,13 +191,13 @@ static s32 igb_get_invariants_82575(stru
33859 /* PHY function pointers */
33860 if (igb_sgmii_active_82575(hw)) {
33861 - phy->ops.reset = igb_phy_hw_reset_sgmii_82575;
33862 - phy->ops.read_reg = igb_read_phy_reg_sgmii_82575;
33863 - phy->ops.write_reg = igb_write_phy_reg_sgmii_82575;
33864 + *(void **)&phy->ops.reset = igb_phy_hw_reset_sgmii_82575;
33865 + *(void **)&phy->ops.read_reg = igb_read_phy_reg_sgmii_82575;
33866 + *(void **)&phy->ops.write_reg = igb_write_phy_reg_sgmii_82575;
33868 - phy->ops.reset = igb_phy_hw_reset;
33869 - phy->ops.read_reg = igb_read_phy_reg_igp;
33870 - phy->ops.write_reg = igb_write_phy_reg_igp;
33871 + *(void **)&phy->ops.reset = igb_phy_hw_reset;
33872 + *(void **)&phy->ops.read_reg = igb_read_phy_reg_igp;
33873 + *(void **)&phy->ops.write_reg = igb_write_phy_reg_igp;
33877 @@ -213,17 +213,17 @@ static s32 igb_get_invariants_82575(stru
33879 case M88E1111_I_PHY_ID:
33880 phy->type = e1000_phy_m88;
33881 - phy->ops.get_phy_info = igb_get_phy_info_m88;
33882 - phy->ops.get_cable_length = igb_get_cable_length_m88;
33883 - phy->ops.force_speed_duplex = igb_phy_force_speed_duplex_m88;
33884 + *(void **)&phy->ops.get_phy_info = igb_get_phy_info_m88;
33885 + *(void **)&phy->ops.get_cable_length = igb_get_cable_length_m88;
33886 + *(void **)&phy->ops.force_speed_duplex = igb_phy_force_speed_duplex_m88;
33888 case IGP03E1000_E_PHY_ID:
33889 phy->type = e1000_phy_igp_3;
33890 - phy->ops.get_phy_info = igb_get_phy_info_igp;
33891 - phy->ops.get_cable_length = igb_get_cable_length_igp_2;
33892 - phy->ops.force_speed_duplex = igb_phy_force_speed_duplex_igp;
33893 - phy->ops.set_d0_lplu_state = igb_set_d0_lplu_state_82575;
33894 - phy->ops.set_d3_lplu_state = igb_set_d3_lplu_state;
33895 + *(void **)&phy->ops.get_phy_info = igb_get_phy_info_igp;
33896 + *(void **)&phy->ops.get_cable_length = igb_get_cable_length_igp_2;
33897 + *(void **)&phy->ops.force_speed_duplex = igb_phy_force_speed_duplex_igp;
33898 + *(void **)&phy->ops.set_d0_lplu_state = igb_set_d0_lplu_state_82575;
33899 + *(void **)&phy->ops.set_d3_lplu_state = igb_set_d3_lplu_state;
33902 return -E1000_ERR_PHY;
33903 @@ -1410,7 +1410,7 @@ void igb_vmdq_set_replication_pf(struct
33904 wr32(E1000_VT_CTL, vt_ctl);
33907 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
33908 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
33909 .reset_hw = igb_reset_hw_82575,
33910 .init_hw = igb_init_hw_82575,
33911 .check_for_link = igb_check_for_link_82575,
33912 @@ -1419,13 +1419,13 @@ static struct e1000_mac_operations e1000
33913 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
33916 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
33917 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
33918 .acquire = igb_acquire_phy_82575,
33919 .get_cfg_done = igb_get_cfg_done_82575,
33920 .release = igb_release_phy_82575,
33923 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
33924 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
33925 .acquire = igb_acquire_nvm_82575,
33926 .read = igb_read_nvm_eerd,
33927 .release = igb_release_nvm_82575,
33928 diff -urNp linux-2.6.32.43/drivers/net/igb/e1000_hw.h linux-2.6.32.43/drivers/net/igb/e1000_hw.h
33929 --- linux-2.6.32.43/drivers/net/igb/e1000_hw.h 2011-03-27 14:31:47.000000000 -0400
33930 +++ linux-2.6.32.43/drivers/net/igb/e1000_hw.h 2011-04-17 15:56:46.000000000 -0400
33931 @@ -305,17 +305,17 @@ struct e1000_phy_operations {
33934 struct e1000_nvm_operations {
33935 - s32 (*acquire)(struct e1000_hw *);
33936 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
33937 - void (*release)(struct e1000_hw *);
33938 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
33939 + s32 (* const acquire)(struct e1000_hw *);
33940 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
33941 + void (* const release)(struct e1000_hw *);
33942 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
33945 struct e1000_info {
33946 s32 (*get_invariants)(struct e1000_hw *);
33947 - struct e1000_mac_operations *mac_ops;
33948 - struct e1000_phy_operations *phy_ops;
33949 - struct e1000_nvm_operations *nvm_ops;
33950 + const struct e1000_mac_operations *mac_ops;
33951 + const struct e1000_phy_operations *phy_ops;
33952 + const struct e1000_nvm_operations *nvm_ops;
33955 extern const struct e1000_info e1000_82575_info;
33956 diff -urNp linux-2.6.32.43/drivers/net/igb/e1000_mbx.c linux-2.6.32.43/drivers/net/igb/e1000_mbx.c
33957 --- linux-2.6.32.43/drivers/net/igb/e1000_mbx.c 2011-03-27 14:31:47.000000000 -0400
33958 +++ linux-2.6.32.43/drivers/net/igb/e1000_mbx.c 2011-08-05 20:33:55.000000000 -0400
33959 @@ -414,13 +414,13 @@ s32 igb_init_mbx_params_pf(struct e1000_
33961 mbx->size = E1000_VFMAILBOX_SIZE;
33963 - mbx->ops.read = igb_read_mbx_pf;
33964 - mbx->ops.write = igb_write_mbx_pf;
33965 - mbx->ops.read_posted = igb_read_posted_mbx;
33966 - mbx->ops.write_posted = igb_write_posted_mbx;
33967 - mbx->ops.check_for_msg = igb_check_for_msg_pf;
33968 - mbx->ops.check_for_ack = igb_check_for_ack_pf;
33969 - mbx->ops.check_for_rst = igb_check_for_rst_pf;
33970 + *(void **)&mbx->ops.read = igb_read_mbx_pf;
33971 + *(void **)&mbx->ops.write = igb_write_mbx_pf;
33972 + *(void **)&mbx->ops.read_posted = igb_read_posted_mbx;
33973 + *(void **)&mbx->ops.write_posted = igb_write_posted_mbx;
33974 + *(void **)&mbx->ops.check_for_msg = igb_check_for_msg_pf;
33975 + *(void **)&mbx->ops.check_for_ack = igb_check_for_ack_pf;
33976 + *(void **)&mbx->ops.check_for_rst = igb_check_for_rst_pf;
33978 mbx->stats.msgs_tx = 0;
33979 mbx->stats.msgs_rx = 0;
33980 diff -urNp linux-2.6.32.43/drivers/net/igb/igb_main.c linux-2.6.32.43/drivers/net/igb/igb_main.c
33981 --- linux-2.6.32.43/drivers/net/igb/igb_main.c 2011-03-27 14:31:47.000000000 -0400
33982 +++ linux-2.6.32.43/drivers/net/igb/igb_main.c 2011-08-05 20:33:55.000000000 -0400
33983 @@ -1295,9 +1295,9 @@ static int __devinit igb_probe(struct pc
33984 /* setup the private structure */
33985 hw->back = adapter;
33986 /* Copy the default MAC, PHY and NVM function pointers */
33987 - memcpy(&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
33988 - memcpy(&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
33989 - memcpy(&hw->nvm.ops, ei->nvm_ops, sizeof(hw->nvm.ops));
33990 + memcpy((void *)&hw->mac.ops, ei->mac_ops, sizeof(hw->mac.ops));
33991 + memcpy((void *)&hw->phy.ops, ei->phy_ops, sizeof(hw->phy.ops));
33992 + memcpy((void *)&hw->nvm.ops, ei->nvm_ops, sizeof(hw->nvm.ops));
33993 /* Initialize skew-specific constants */
33994 err = ei->get_invariants(hw);
33996 diff -urNp linux-2.6.32.43/drivers/net/igbvf/mbx.c linux-2.6.32.43/drivers/net/igbvf/mbx.c
33997 --- linux-2.6.32.43/drivers/net/igbvf/mbx.c 2011-03-27 14:31:47.000000000 -0400
33998 +++ linux-2.6.32.43/drivers/net/igbvf/mbx.c 2011-08-05 20:33:55.000000000 -0400
33999 @@ -331,13 +331,13 @@ s32 e1000_init_mbx_params_vf(struct e100
34001 mbx->size = E1000_VFMAILBOX_SIZE;
34003 - mbx->ops.read = e1000_read_mbx_vf;
34004 - mbx->ops.write = e1000_write_mbx_vf;
34005 - mbx->ops.read_posted = e1000_read_posted_mbx;
34006 - mbx->ops.write_posted = e1000_write_posted_mbx;
34007 - mbx->ops.check_for_msg = e1000_check_for_msg_vf;
34008 - mbx->ops.check_for_ack = e1000_check_for_ack_vf;
34009 - mbx->ops.check_for_rst = e1000_check_for_rst_vf;
34010 + *(void **)&mbx->ops.read = e1000_read_mbx_vf;
34011 + *(void **)&mbx->ops.write = e1000_write_mbx_vf;
34012 + *(void **)&mbx->ops.read_posted = e1000_read_posted_mbx;
34013 + *(void **)&mbx->ops.write_posted = e1000_write_posted_mbx;
34014 + *(void **)&mbx->ops.check_for_msg = e1000_check_for_msg_vf;
34015 + *(void **)&mbx->ops.check_for_ack = e1000_check_for_ack_vf;
34016 + *(void **)&mbx->ops.check_for_rst = e1000_check_for_rst_vf;
34018 mbx->stats.msgs_tx = 0;
34019 mbx->stats.msgs_rx = 0;
34020 diff -urNp linux-2.6.32.43/drivers/net/igbvf/vf.c linux-2.6.32.43/drivers/net/igbvf/vf.c
34021 --- linux-2.6.32.43/drivers/net/igbvf/vf.c 2011-03-27 14:31:47.000000000 -0400
34022 +++ linux-2.6.32.43/drivers/net/igbvf/vf.c 2011-08-05 20:33:55.000000000 -0400
34023 @@ -55,21 +55,21 @@ static s32 e1000_init_mac_params_vf(stru
34025 /* Function pointers */
34027 - mac->ops.reset_hw = e1000_reset_hw_vf;
34028 + *(void **)&mac->ops.reset_hw = e1000_reset_hw_vf;
34029 /* hw initialization */
34030 - mac->ops.init_hw = e1000_init_hw_vf;
34031 + *(void **)&mac->ops.init_hw = e1000_init_hw_vf;
34032 /* check for link */
34033 - mac->ops.check_for_link = e1000_check_for_link_vf;
34034 + *(void **)&mac->ops.check_for_link = e1000_check_for_link_vf;
34036 - mac->ops.get_link_up_info = e1000_get_link_up_info_vf;
34037 + *(void **)&mac->ops.get_link_up_info = e1000_get_link_up_info_vf;
34038 /* multicast address update */
34039 - mac->ops.update_mc_addr_list = e1000_update_mc_addr_list_vf;
34040 + *(void **)&mac->ops.update_mc_addr_list = e1000_update_mc_addr_list_vf;
34041 /* set mac address */
34042 - mac->ops.rar_set = e1000_rar_set_vf;
34043 + *(void **)&mac->ops.rar_set = e1000_rar_set_vf;
34044 /* read mac address */
34045 - mac->ops.read_mac_addr = e1000_read_mac_addr_vf;
34046 + *(void **)&mac->ops.read_mac_addr = e1000_read_mac_addr_vf;
34047 /* set vlan filter table array */
34048 - mac->ops.set_vfta = e1000_set_vfta_vf;
34049 + *(void **)&mac->ops.set_vfta = e1000_set_vfta_vf;
34051 return E1000_SUCCESS;
34053 @@ -80,8 +80,8 @@ static s32 e1000_init_mac_params_vf(stru
34055 void e1000_init_function_pointers_vf(struct e1000_hw *hw)
34057 - hw->mac.ops.init_params = e1000_init_mac_params_vf;
34058 - hw->mbx.ops.init_params = e1000_init_mbx_params_vf;
34059 + *(void **)&hw->mac.ops.init_params = e1000_init_mac_params_vf;
34060 + *(void **)&hw->mbx.ops.init_params = e1000_init_mbx_params_vf;
34064 diff -urNp linux-2.6.32.43/drivers/net/iseries_veth.c linux-2.6.32.43/drivers/net/iseries_veth.c
34065 --- linux-2.6.32.43/drivers/net/iseries_veth.c 2011-03-27 14:31:47.000000000 -0400
34066 +++ linux-2.6.32.43/drivers/net/iseries_veth.c 2011-04-17 15:56:46.000000000 -0400
34067 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
34071 -static struct sysfs_ops veth_cnx_sysfs_ops = {
34072 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
34073 .show = veth_cnx_attribute_show
34076 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
34080 -static struct sysfs_ops veth_port_sysfs_ops = {
34081 +static const struct sysfs_ops veth_port_sysfs_ops = {
34082 .show = veth_port_attribute_show
34085 diff -urNp linux-2.6.32.43/drivers/net/ixgb/ixgb_main.c linux-2.6.32.43/drivers/net/ixgb/ixgb_main.c
34086 --- linux-2.6.32.43/drivers/net/ixgb/ixgb_main.c 2011-03-27 14:31:47.000000000 -0400
34087 +++ linux-2.6.32.43/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:46:57.000000000 -0400
34088 @@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
34092 + pax_track_stack();
34094 /* Check for Promiscuous and All Multicast modes */
34096 rctl = IXGB_READ_REG(hw, RCTL);
34097 diff -urNp linux-2.6.32.43/drivers/net/ixgb/ixgb_param.c linux-2.6.32.43/drivers/net/ixgb/ixgb_param.c
34098 --- linux-2.6.32.43/drivers/net/ixgb/ixgb_param.c 2011-03-27 14:31:47.000000000 -0400
34099 +++ linux-2.6.32.43/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:46:57.000000000 -0400
34100 @@ -260,6 +260,9 @@ void __devinit
34101 ixgb_check_options(struct ixgb_adapter *adapter)
34103 int bd = adapter->bd_number;
34105 + pax_track_stack();
34107 if (bd >= IXGB_MAX_NIC) {
34109 "Warning: no configuration for board #%i\n", bd);
34110 diff -urNp linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82598.c linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82598.c
34111 --- linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82598.c 2011-03-27 14:31:47.000000000 -0400
34112 +++ linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82598.c 2011-08-05 20:33:55.000000000 -0400
34113 @@ -154,19 +154,19 @@ static s32 ixgbe_init_phy_ops_82598(stru
34115 /* Overwrite the link function pointers if copper PHY */
34116 if (mac->ops.get_media_type(hw) == ixgbe_media_type_copper) {
34117 - mac->ops.setup_link = &ixgbe_setup_copper_link_82598;
34118 - mac->ops.get_link_capabilities =
34119 + *(void **)&mac->ops.setup_link = &ixgbe_setup_copper_link_82598;
34120 + *(void **)&mac->ops.get_link_capabilities =
34121 &ixgbe_get_copper_link_capabilities_82598;
34124 switch (hw->phy.type) {
34126 - phy->ops.check_link = &ixgbe_check_phy_link_tnx;
34127 - phy->ops.get_firmware_version =
34128 + *(void **)&phy->ops.check_link = &ixgbe_check_phy_link_tnx;
34129 + *(void **)&phy->ops.get_firmware_version =
34130 &ixgbe_get_phy_firmware_version_tnx;
34133 - phy->ops.reset = &ixgbe_reset_phy_nl;
34134 + *(void **)&phy->ops.reset = &ixgbe_reset_phy_nl;
34136 /* Call SFP+ identify routine to get the SFP+ module type */
34137 ret_val = phy->ops.identify_sfp(hw);
34138 diff -urNp linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82599.c linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82599.c
34139 --- linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82599.c 2011-03-27 14:31:47.000000000 -0400
34140 +++ linux-2.6.32.43/drivers/net/ixgbe/ixgbe_82599.c 2011-08-05 20:33:55.000000000 -0400
34141 @@ -62,9 +62,9 @@ static void ixgbe_init_mac_link_ops_8259
34142 struct ixgbe_mac_info *mac = &hw->mac;
34143 if (hw->phy.multispeed_fiber) {
34144 /* Set up dual speed SFP+ support */
34145 - mac->ops.setup_link = &ixgbe_setup_mac_link_multispeed_fiber;
34146 + *(void **)&mac->ops.setup_link = &ixgbe_setup_mac_link_multispeed_fiber;
34148 - mac->ops.setup_link = &ixgbe_setup_mac_link_82599;
34149 + *(void **)&mac->ops.setup_link = &ixgbe_setup_mac_link_82599;
34153 @@ -76,7 +76,7 @@ static s32 ixgbe_setup_sfp_modules_82599
34154 if (hw->phy.sfp_type != ixgbe_sfp_type_unknown) {
34155 ixgbe_init_mac_link_ops_82599(hw);
34157 - hw->phy.ops.reset = NULL;
34158 + *(void **)&hw->phy.ops.reset = NULL;
34160 ret_val = ixgbe_get_sfp_init_sequence_offsets(hw, &list_offset,
34162 @@ -171,16 +171,16 @@ static s32 ixgbe_init_phy_ops_82599(stru
34164 /* If copper media, overwrite with copper function pointers */
34165 if (mac->ops.get_media_type(hw) == ixgbe_media_type_copper) {
34166 - mac->ops.setup_link = &ixgbe_setup_copper_link_82599;
34167 - mac->ops.get_link_capabilities =
34168 + *(void **)&mac->ops.setup_link = &ixgbe_setup_copper_link_82599;
34169 + *(void **)&mac->ops.get_link_capabilities =
34170 &ixgbe_get_copper_link_capabilities_82599;
34173 /* Set necessary function pointers based on phy type */
34174 switch (hw->phy.type) {
34176 - phy->ops.check_link = &ixgbe_check_phy_link_tnx;
34177 - phy->ops.get_firmware_version =
34178 + *(void **)&phy->ops.check_link = &ixgbe_check_phy_link_tnx;
34179 + *(void **)&phy->ops.get_firmware_version =
34180 &ixgbe_get_phy_firmware_version_tnx;
34183 diff -urNp linux-2.6.32.43/drivers/net/ixgbe/ixgbe_main.c linux-2.6.32.43/drivers/net/ixgbe/ixgbe_main.c
34184 --- linux-2.6.32.43/drivers/net/ixgbe/ixgbe_main.c 2011-03-27 14:31:47.000000000 -0400
34185 +++ linux-2.6.32.43/drivers/net/ixgbe/ixgbe_main.c 2011-08-05 20:33:55.000000000 -0400
34186 @@ -5638,18 +5638,18 @@ static int __devinit ixgbe_probe(struct
34187 adapter->bd_number = cards_found;
34190 - memcpy(&hw->mac.ops, ii->mac_ops, sizeof(hw->mac.ops));
34191 + memcpy((void *)&hw->mac.ops, ii->mac_ops, sizeof(hw->mac.ops));
34192 hw->mac.type = ii->mac;
34195 - memcpy(&hw->eeprom.ops, ii->eeprom_ops, sizeof(hw->eeprom.ops));
34196 + memcpy((void *)&hw->eeprom.ops, ii->eeprom_ops, sizeof(hw->eeprom.ops));
34197 eec = IXGBE_READ_REG(hw, IXGBE_EEC);
34198 /* If EEPROM is valid (bit 8 = 1), use default otherwise use bit bang */
34199 if (!(eec & (1 << 8)))
34200 - hw->eeprom.ops.read = &ixgbe_read_eeprom_bit_bang_generic;
34201 + *(void **)&hw->eeprom.ops.read = &ixgbe_read_eeprom_bit_bang_generic;
34204 - memcpy(&hw->phy.ops, ii->phy_ops, sizeof(hw->phy.ops));
34205 + memcpy((void *)&hw->phy.ops, ii->phy_ops, sizeof(hw->phy.ops));
34206 hw->phy.sfp_type = ixgbe_sfp_type_unknown;
34207 /* ixgbe_identify_phy_generic will set prtad and mmds properly */
34208 hw->phy.mdio.prtad = MDIO_PRTAD_NONE;
34209 diff -urNp linux-2.6.32.43/drivers/net/mlx4/main.c linux-2.6.32.43/drivers/net/mlx4/main.c
34210 --- linux-2.6.32.43/drivers/net/mlx4/main.c 2011-03-27 14:31:47.000000000 -0400
34211 +++ linux-2.6.32.43/drivers/net/mlx4/main.c 2011-05-18 20:09:37.000000000 -0400
34213 #include <linux/errno.h>
34214 #include <linux/pci.h>
34215 #include <linux/dma-mapping.h>
34216 +#include <linux/sched.h>
34218 #include <linux/mlx4/device.h>
34219 #include <linux/mlx4/doorbell.h>
34220 @@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
34224 + pax_track_stack();
34226 err = mlx4_QUERY_FW(dev);
34228 if (err == -EACCES)
34229 diff -urNp linux-2.6.32.43/drivers/net/niu.c linux-2.6.32.43/drivers/net/niu.c
34230 --- linux-2.6.32.43/drivers/net/niu.c 2011-05-10 22:12:01.000000000 -0400
34231 +++ linux-2.6.32.43/drivers/net/niu.c 2011-05-16 21:46:57.000000000 -0400
34232 @@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
34233 int i, num_irqs, err;
34236 + pax_track_stack();
34238 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
34239 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
34240 ldg_num_map[i] = first_ldg + i;
34241 diff -urNp linux-2.6.32.43/drivers/net/pcnet32.c linux-2.6.32.43/drivers/net/pcnet32.c
34242 --- linux-2.6.32.43/drivers/net/pcnet32.c 2011-03-27 14:31:47.000000000 -0400
34243 +++ linux-2.6.32.43/drivers/net/pcnet32.c 2011-08-05 20:33:55.000000000 -0400
34244 @@ -79,7 +79,7 @@ static int cards_found;
34246 * VLB I/O addresses
34248 -static unsigned int pcnet32_portlist[] __initdata =
34249 +static unsigned int pcnet32_portlist[] __devinitdata =
34250 { 0x300, 0x320, 0x340, 0x360, 0 };
34252 static int pcnet32_debug = 0;
34253 @@ -267,7 +267,7 @@ struct pcnet32_private {
34254 struct sk_buff **rx_skbuff;
34255 dma_addr_t *tx_dma_addr;
34256 dma_addr_t *rx_dma_addr;
34257 - struct pcnet32_access a;
34258 + struct pcnet32_access *a;
34259 spinlock_t lock; /* Guard lock */
34260 unsigned int cur_rx, cur_tx; /* The next free ring entry */
34261 unsigned int rx_ring_size; /* current rx ring size */
34262 @@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
34265 netif_wake_queue(dev);
34266 - val = lp->a.read_csr(ioaddr, CSR3);
34267 + val = lp->a->read_csr(ioaddr, CSR3);
34269 - lp->a.write_csr(ioaddr, CSR3, val);
34270 + lp->a->write_csr(ioaddr, CSR3, val);
34271 napi_enable(&lp->napi);
34274 @@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
34275 r = mii_link_ok(&lp->mii_if);
34276 } else if (lp->chip_version >= PCNET32_79C970A) {
34277 ulong ioaddr = dev->base_addr; /* card base I/O address */
34278 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
34279 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
34280 } else { /* can not detect link on really old chips */
34283 @@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
34284 pcnet32_netif_stop(dev);
34286 spin_lock_irqsave(&lp->lock, flags);
34287 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34288 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34290 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
34292 @@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
34293 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
34295 struct pcnet32_private *lp = netdev_priv(dev);
34296 - struct pcnet32_access *a = &lp->a; /* access to registers */
34297 + struct pcnet32_access *a = lp->a; /* access to registers */
34298 ulong ioaddr = dev->base_addr; /* card base I/O address */
34299 struct sk_buff *skb; /* sk buff */
34300 int x, i; /* counters */
34301 @@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
34302 pcnet32_netif_stop(dev);
34304 spin_lock_irqsave(&lp->lock, flags);
34305 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34306 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34308 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
34310 /* Reset the PCNET32 */
34311 - lp->a.reset(ioaddr);
34312 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34313 + lp->a->reset(ioaddr);
34314 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34316 /* switch pcnet32 to 32bit mode */
34317 - lp->a.write_bcr(ioaddr, 20, 2);
34318 + lp->a->write_bcr(ioaddr, 20, 2);
34320 /* purge & init rings but don't actually restart */
34321 pcnet32_restart(dev, 0x0000);
34323 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34324 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34326 /* Initialize Transmit buffers. */
34327 size = data_len + 15;
34328 @@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
34330 /* set int loopback in CSR15 */
34331 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
34332 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
34333 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
34335 teststatus = cpu_to_le16(0x8000);
34336 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34337 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34339 /* Check status of descriptors */
34340 for (x = 0; x < numbuffs; x++) {
34341 @@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
34345 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34346 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34348 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
34349 printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
34350 @@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
34351 pcnet32_restart(dev, CSR0_NORMAL);
34353 pcnet32_purge_rx_ring(dev);
34354 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34355 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34357 spin_unlock_irqrestore(&lp->lock, flags);
34359 @@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
34360 static void pcnet32_led_blink_callback(struct net_device *dev)
34362 struct pcnet32_private *lp = netdev_priv(dev);
34363 - struct pcnet32_access *a = &lp->a;
34364 + struct pcnet32_access *a = lp->a;
34365 ulong ioaddr = dev->base_addr;
34366 unsigned long flags;
34368 @@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
34369 static int pcnet32_phys_id(struct net_device *dev, u32 data)
34371 struct pcnet32_private *lp = netdev_priv(dev);
34372 - struct pcnet32_access *a = &lp->a;
34373 + struct pcnet32_access *a = lp->a;
34374 ulong ioaddr = dev->base_addr;
34375 unsigned long flags;
34377 @@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
34380 struct pcnet32_private *lp = netdev_priv(dev);
34381 - struct pcnet32_access *a = &lp->a;
34382 + struct pcnet32_access *a = lp->a;
34383 ulong ioaddr = dev->base_addr;
34386 @@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
34387 spin_lock_irqsave(&lp->lock, flags);
34388 if (pcnet32_tx(dev)) {
34389 /* reset the chip to clear the error condition, then restart */
34390 - lp->a.reset(ioaddr);
34391 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34392 + lp->a->reset(ioaddr);
34393 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34394 pcnet32_restart(dev, CSR0_START);
34395 netif_wake_queue(dev);
34397 @@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
34398 __napi_complete(napi);
34400 /* clear interrupt masks */
34401 - val = lp->a.read_csr(ioaddr, CSR3);
34402 + val = lp->a->read_csr(ioaddr, CSR3);
34404 - lp->a.write_csr(ioaddr, CSR3, val);
34405 + lp->a->write_csr(ioaddr, CSR3, val);
34407 /* Set interrupt enable. */
34408 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
34409 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
34411 spin_unlock_irqrestore(&lp->lock, flags);
34413 @@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
34416 struct pcnet32_private *lp = netdev_priv(dev);
34417 - struct pcnet32_access *a = &lp->a;
34418 + struct pcnet32_access *a = lp->a;
34419 ulong ioaddr = dev->base_addr;
34420 unsigned long flags;
34422 @@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
34423 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
34424 if (lp->phymask & (1 << j)) {
34425 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
34426 - lp->a.write_bcr(ioaddr, 33,
34427 + lp->a->write_bcr(ioaddr, 33,
34429 - *buff++ = lp->a.read_bcr(ioaddr, 34);
34430 + *buff++ = lp->a->read_bcr(ioaddr, 34);
34434 @@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34435 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
34436 lp->options |= PCNET32_PORT_FD;
34441 /* prior to register_netdev, dev->name is not yet correct */
34442 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
34443 @@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34445 /* lp->phycount and lp->phymask are set to 0 by memset above */
34447 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
34448 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
34449 /* scan for PHYs */
34450 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
34451 unsigned short id1, id2;
34452 @@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34453 "Found PHY %04x:%04x at address %d.\n",
34456 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
34457 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
34458 if (lp->phycount > 1) {
34459 lp->options |= PCNET32_PORT_MII;
34461 @@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
34464 /* Reset the PCNET32 */
34465 - lp->a.reset(ioaddr);
34466 + lp->a->reset(ioaddr);
34468 /* switch pcnet32 to 32bit mode */
34469 - lp->a.write_bcr(ioaddr, 20, 2);
34470 + lp->a->write_bcr(ioaddr, 20, 2);
34472 if (netif_msg_ifup(lp))
34474 @@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
34475 (u32) (lp->init_dma_addr));
34477 /* set/reset autoselect bit */
34478 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
34479 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
34480 if (lp->options & PCNET32_PORT_ASEL)
34482 - lp->a.write_bcr(ioaddr, 2, val);
34483 + lp->a->write_bcr(ioaddr, 2, val);
34485 /* handle full duplex setting */
34486 if (lp->mii_if.full_duplex) {
34487 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
34488 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
34489 if (lp->options & PCNET32_PORT_FD) {
34491 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
34492 @@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
34493 if (lp->chip_version == 0x2627)
34496 - lp->a.write_bcr(ioaddr, 9, val);
34497 + lp->a->write_bcr(ioaddr, 9, val);
34500 /* set/reset GPSI bit in test register */
34501 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
34502 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
34503 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
34505 - lp->a.write_csr(ioaddr, 124, val);
34506 + lp->a->write_csr(ioaddr, 124, val);
34508 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
34509 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
34510 @@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
34511 * duplex, and/or enable auto negotiation, and clear DANAS
34513 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
34514 - lp->a.write_bcr(ioaddr, 32,
34515 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
34516 + lp->a->write_bcr(ioaddr, 32,
34517 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
34518 /* disable Auto Negotiation, set 10Mpbs, HD */
34519 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
34520 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
34521 if (lp->options & PCNET32_PORT_FD)
34523 if (lp->options & PCNET32_PORT_100)
34525 - lp->a.write_bcr(ioaddr, 32, val);
34526 + lp->a->write_bcr(ioaddr, 32, val);
34528 if (lp->options & PCNET32_PORT_ASEL) {
34529 - lp->a.write_bcr(ioaddr, 32,
34530 - lp->a.read_bcr(ioaddr,
34531 + lp->a->write_bcr(ioaddr, 32,
34532 + lp->a->read_bcr(ioaddr,
34534 /* enable auto negotiate, setup, disable fd */
34535 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
34536 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
34538 - lp->a.write_bcr(ioaddr, 32, val);
34539 + lp->a->write_bcr(ioaddr, 32, val);
34543 @@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
34544 * There is really no good other way to handle multiple PHYs
34545 * other than turning off all automatics
34547 - val = lp->a.read_bcr(ioaddr, 2);
34548 - lp->a.write_bcr(ioaddr, 2, val & ~2);
34549 - val = lp->a.read_bcr(ioaddr, 32);
34550 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
34551 + val = lp->a->read_bcr(ioaddr, 2);
34552 + lp->a->write_bcr(ioaddr, 2, val & ~2);
34553 + val = lp->a->read_bcr(ioaddr, 32);
34554 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
34556 if (!(lp->options & PCNET32_PORT_ASEL)) {
34558 @@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
34561 options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
34562 - bcr9 = lp->a.read_bcr(ioaddr, 9);
34563 + bcr9 = lp->a->read_bcr(ioaddr, 9);
34565 if (lp->options & PCNET32_PORT_FD) {
34566 ecmd.duplex = DUPLEX_FULL;
34567 @@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
34568 ecmd.duplex = DUPLEX_HALF;
34571 - lp->a.write_bcr(ioaddr, 9, bcr9);
34572 + lp->a->write_bcr(ioaddr, 9, bcr9);
34575 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
34576 @@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
34579 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
34580 - val = lp->a.read_csr(ioaddr, CSR3);
34581 + val = lp->a->read_csr(ioaddr, CSR3);
34583 - lp->a.write_csr(ioaddr, CSR3, val);
34584 + lp->a->write_csr(ioaddr, CSR3, val);
34588 @@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
34589 napi_enable(&lp->napi);
34591 /* Re-initialize the PCNET32, and start it when done. */
34592 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
34593 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
34594 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
34595 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
34597 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34598 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
34599 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34600 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
34602 netif_start_queue(dev);
34604 @@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
34608 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
34609 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
34612 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
34613 * reports that doing so triggers a bug in the '974.
34615 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
34616 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
34618 if (netif_msg_ifup(lp))
34620 "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
34622 (u32) (lp->init_dma_addr),
34623 - lp->a.read_csr(ioaddr, CSR0));
34624 + lp->a->read_csr(ioaddr, CSR0));
34626 spin_unlock_irqrestore(&lp->lock, flags);
34628 @@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
34629 * Switch back to 16bit mode to avoid problems with dumb
34630 * DOS packet driver after a warm reboot
34632 - lp->a.write_bcr(ioaddr, 20, 4);
34633 + lp->a->write_bcr(ioaddr, 20, 4);
34636 spin_unlock_irqrestore(&lp->lock, flags);
34637 @@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
34639 /* wait for stop */
34640 for (i = 0; i < 100; i++)
34641 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
34642 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
34645 if (i >= 100 && netif_msg_drv(lp))
34646 @@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
34650 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
34651 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
34654 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
34655 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
34658 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
34659 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
34662 static void pcnet32_tx_timeout(struct net_device *dev)
34663 @@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
34664 if (pcnet32_debug & NETIF_MSG_DRV)
34666 "%s: transmit timed out, status %4.4x, resetting.\n",
34667 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34668 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34669 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34670 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34671 dev->stats.tx_errors++;
34672 if (netif_msg_tx_err(lp)) {
34674 @@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
34675 if (netif_msg_tx_queued(lp)) {
34677 "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
34678 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34679 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34682 /* Default status -- will not enable Successful-TxDone
34683 @@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
34684 dev->stats.tx_bytes += skb->len;
34686 /* Trigger an immediate send poll. */
34687 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
34688 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
34690 dev->trans_start = jiffies;
34692 @@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
34694 spin_lock(&lp->lock);
34696 - csr0 = lp->a.read_csr(ioaddr, CSR0);
34697 + csr0 = lp->a->read_csr(ioaddr, CSR0);
34698 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
34699 if (csr0 == 0xffff) {
34700 break; /* PCMCIA remove happened */
34702 /* Acknowledge all of the current interrupt sources ASAP. */
34703 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
34704 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
34706 if (netif_msg_intr(lp))
34708 "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
34709 - dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
34710 + dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
34712 /* Log misc errors. */
34714 @@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
34715 if (napi_schedule_prep(&lp->napi)) {
34717 /* set interrupt masks */
34718 - val = lp->a.read_csr(ioaddr, CSR3);
34719 + val = lp->a->read_csr(ioaddr, CSR3);
34721 - lp->a.write_csr(ioaddr, CSR3, val);
34722 + lp->a->write_csr(ioaddr, CSR3, val);
34724 __napi_schedule(&lp->napi);
34727 - csr0 = lp->a.read_csr(ioaddr, CSR0);
34728 + csr0 = lp->a->read_csr(ioaddr, CSR0);
34731 if (netif_msg_intr(lp))
34732 printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
34733 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34734 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34736 spin_unlock(&lp->lock);
34738 @@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
34740 spin_lock_irqsave(&lp->lock, flags);
34742 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
34743 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
34745 if (netif_msg_ifdown(lp))
34747 "%s: Shutting down ethercard, status was %2.2x.\n",
34748 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34749 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34751 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
34752 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34753 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34756 * Switch back to 16bit mode to avoid problems with dumb
34757 * DOS packet driver after a warm reboot
34759 - lp->a.write_bcr(ioaddr, 20, 4);
34760 + lp->a->write_bcr(ioaddr, 20, 4);
34762 spin_unlock_irqrestore(&lp->lock, flags);
34764 @@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
34765 unsigned long flags;
34767 spin_lock_irqsave(&lp->lock, flags);
34768 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
34769 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
34770 spin_unlock_irqrestore(&lp->lock, flags);
34772 return &dev->stats;
34773 @@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
34774 if (dev->flags & IFF_ALLMULTI) {
34775 ib->filter[0] = cpu_to_le32(~0U);
34776 ib->filter[1] = cpu_to_le32(~0U);
34777 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
34778 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
34779 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
34780 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
34781 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
34782 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
34783 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
34784 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
34787 /* clear the multicast filter */
34788 @@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
34789 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
34791 for (i = 0; i < 4; i++)
34792 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
34793 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
34794 le16_to_cpu(mcast_table[i]));
34797 @@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
34799 spin_lock_irqsave(&lp->lock, flags);
34800 suspended = pcnet32_suspend(dev, &flags, 0);
34801 - csr15 = lp->a.read_csr(ioaddr, CSR15);
34802 + csr15 = lp->a->read_csr(ioaddr, CSR15);
34803 if (dev->flags & IFF_PROMISC) {
34804 /* Log any net taps. */
34805 if (netif_msg_hw(lp))
34806 @@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
34807 lp->init_block->mode =
34808 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
34810 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
34811 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
34813 lp->init_block->mode =
34814 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
34815 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
34816 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
34817 pcnet32_load_multicast(dev);
34822 /* clear SUSPEND (SPND) - CSR5 bit 0 */
34823 - csr5 = lp->a.read_csr(ioaddr, CSR5);
34824 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
34825 + csr5 = lp->a->read_csr(ioaddr, CSR5);
34826 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
34828 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34829 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34830 pcnet32_restart(dev, CSR0_NORMAL);
34831 netif_wake_queue(dev);
34833 @@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
34837 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34838 - val_out = lp->a.read_bcr(ioaddr, 34);
34839 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34840 + val_out = lp->a->read_bcr(ioaddr, 34);
34844 @@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
34848 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34849 - lp->a.write_bcr(ioaddr, 34, val);
34850 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34851 + lp->a->write_bcr(ioaddr, 34, val);
34854 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
34855 @@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
34856 curr_link = mii_link_ok(&lp->mii_if);
34858 ulong ioaddr = dev->base_addr; /* card base I/O address */
34859 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
34860 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
34863 if (prev_link || verbose) {
34864 @@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
34866 DUPLEX_FULL) ? "full" : "half");
34868 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
34869 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
34870 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
34871 if (lp->mii_if.full_duplex)
34875 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
34876 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
34879 if (netif_msg_link(lp))
34880 diff -urNp linux-2.6.32.43/drivers/net/tg3.h linux-2.6.32.43/drivers/net/tg3.h
34881 --- linux-2.6.32.43/drivers/net/tg3.h 2011-03-27 14:31:47.000000000 -0400
34882 +++ linux-2.6.32.43/drivers/net/tg3.h 2011-04-17 15:56:46.000000000 -0400
34884 #define CHIPREV_ID_5750_A0 0x4000
34885 #define CHIPREV_ID_5750_A1 0x4001
34886 #define CHIPREV_ID_5750_A3 0x4003
34887 +#define CHIPREV_ID_5750_C1 0x4201
34888 #define CHIPREV_ID_5750_C2 0x4202
34889 #define CHIPREV_ID_5752_A0_HW 0x5000
34890 #define CHIPREV_ID_5752_A0 0x6000
34891 diff -urNp linux-2.6.32.43/drivers/net/tokenring/abyss.c linux-2.6.32.43/drivers/net/tokenring/abyss.c
34892 --- linux-2.6.32.43/drivers/net/tokenring/abyss.c 2011-03-27 14:31:47.000000000 -0400
34893 +++ linux-2.6.32.43/drivers/net/tokenring/abyss.c 2011-08-05 20:33:55.000000000 -0400
34894 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
34896 static int __init abyss_init (void)
34898 - abyss_netdev_ops = tms380tr_netdev_ops;
34899 + pax_open_kernel();
34900 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34902 - abyss_netdev_ops.ndo_open = abyss_open;
34903 - abyss_netdev_ops.ndo_stop = abyss_close;
34904 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
34905 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
34906 + pax_close_kernel();
34908 return pci_register_driver(&abyss_driver);
34910 diff -urNp linux-2.6.32.43/drivers/net/tokenring/madgemc.c linux-2.6.32.43/drivers/net/tokenring/madgemc.c
34911 --- linux-2.6.32.43/drivers/net/tokenring/madgemc.c 2011-03-27 14:31:47.000000000 -0400
34912 +++ linux-2.6.32.43/drivers/net/tokenring/madgemc.c 2011-08-05 20:33:55.000000000 -0400
34913 @@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
34915 static int __init madgemc_init (void)
34917 - madgemc_netdev_ops = tms380tr_netdev_ops;
34918 - madgemc_netdev_ops.ndo_open = madgemc_open;
34919 - madgemc_netdev_ops.ndo_stop = madgemc_close;
34920 + pax_open_kernel();
34921 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34922 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
34923 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
34924 + pax_close_kernel();
34926 return mca_register_driver (&madgemc_driver);
34928 diff -urNp linux-2.6.32.43/drivers/net/tokenring/proteon.c linux-2.6.32.43/drivers/net/tokenring/proteon.c
34929 --- linux-2.6.32.43/drivers/net/tokenring/proteon.c 2011-03-27 14:31:47.000000000 -0400
34930 +++ linux-2.6.32.43/drivers/net/tokenring/proteon.c 2011-08-05 20:33:55.000000000 -0400
34931 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
34932 struct platform_device *pdev;
34933 int i, num = 0, err = 0;
34935 - proteon_netdev_ops = tms380tr_netdev_ops;
34936 - proteon_netdev_ops.ndo_open = proteon_open;
34937 - proteon_netdev_ops.ndo_stop = tms380tr_close;
34938 + pax_open_kernel();
34939 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34940 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
34941 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
34942 + pax_close_kernel();
34944 err = platform_driver_register(&proteon_driver);
34946 diff -urNp linux-2.6.32.43/drivers/net/tokenring/skisa.c linux-2.6.32.43/drivers/net/tokenring/skisa.c
34947 --- linux-2.6.32.43/drivers/net/tokenring/skisa.c 2011-03-27 14:31:47.000000000 -0400
34948 +++ linux-2.6.32.43/drivers/net/tokenring/skisa.c 2011-08-05 20:33:55.000000000 -0400
34949 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
34950 struct platform_device *pdev;
34951 int i, num = 0, err = 0;
34953 - sk_isa_netdev_ops = tms380tr_netdev_ops;
34954 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
34955 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
34956 + pax_open_kernel();
34957 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34958 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
34959 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
34960 + pax_close_kernel();
34962 err = platform_driver_register(&sk_isa_driver);
34964 diff -urNp linux-2.6.32.43/drivers/net/tulip/de2104x.c linux-2.6.32.43/drivers/net/tulip/de2104x.c
34965 --- linux-2.6.32.43/drivers/net/tulip/de2104x.c 2011-03-27 14:31:47.000000000 -0400
34966 +++ linux-2.6.32.43/drivers/net/tulip/de2104x.c 2011-05-16 21:46:57.000000000 -0400
34967 @@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
34968 struct de_srom_info_leaf *il;
34971 + pax_track_stack();
34973 /* download entire eeprom */
34974 for (i = 0; i < DE_EEPROM_WORDS; i++)
34975 ((__le16 *)ee_data)[i] =
34976 diff -urNp linux-2.6.32.43/drivers/net/tulip/de4x5.c linux-2.6.32.43/drivers/net/tulip/de4x5.c
34977 --- linux-2.6.32.43/drivers/net/tulip/de4x5.c 2011-03-27 14:31:47.000000000 -0400
34978 +++ linux-2.6.32.43/drivers/net/tulip/de4x5.c 2011-04-17 15:56:46.000000000 -0400
34979 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
34980 for (i=0; i<ETH_ALEN; i++) {
34981 tmp.addr[i] = dev->dev_addr[i];
34983 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
34984 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
34987 case DE4X5_SET_HWADDR: /* Set the hardware address */
34988 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
34989 spin_lock_irqsave(&lp->lock, flags);
34990 memcpy(&statbuf, &lp->pktStats, ioc->len);
34991 spin_unlock_irqrestore(&lp->lock, flags);
34992 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
34993 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
34997 diff -urNp linux-2.6.32.43/drivers/net/usb/hso.c linux-2.6.32.43/drivers/net/usb/hso.c
34998 --- linux-2.6.32.43/drivers/net/usb/hso.c 2011-03-27 14:31:47.000000000 -0400
34999 +++ linux-2.6.32.43/drivers/net/usb/hso.c 2011-04-17 15:56:46.000000000 -0400
35001 #include <asm/byteorder.h>
35002 #include <linux/serial_core.h>
35003 #include <linux/serial.h>
35005 +#include <asm/local.h>
35007 #define DRIVER_VERSION "1.2"
35008 #define MOD_AUTHOR "Option Wireless"
35009 @@ -258,7 +258,7 @@ struct hso_serial {
35011 /* from usb_serial_port */
35012 struct tty_struct *tty;
35014 + local_t open_count;
35015 spinlock_t serial_lock;
35017 int (*write_data) (struct hso_serial *serial);
35018 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
35021 urb = serial->rx_urb[0];
35022 - if (serial->open_count > 0) {
35023 + if (local_read(&serial->open_count) > 0) {
35024 count = put_rxbuf_data(urb, serial);
35027 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
35028 DUMP1(urb->transfer_buffer, urb->actual_length);
35030 /* Anyone listening? */
35031 - if (serial->open_count == 0)
35032 + if (local_read(&serial->open_count) == 0)
35036 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
35037 spin_unlock_irq(&serial->serial_lock);
35039 /* check for port already opened, if not set the termios */
35040 - serial->open_count++;
35041 - if (serial->open_count == 1) {
35042 + if (local_inc_return(&serial->open_count) == 1) {
35043 tty->low_latency = 1;
35044 serial->rx_state = RX_IDLE;
35045 /* Force default termio settings */
35046 @@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
35047 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
35049 hso_stop_serial_device(serial->parent);
35050 - serial->open_count--;
35051 + local_dec(&serial->open_count);
35052 kref_put(&serial->parent->ref, hso_serial_ref_free);
35055 @@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
35057 /* reset the rts and dtr */
35058 /* do the actual close */
35059 - serial->open_count--;
35060 + local_dec(&serial->open_count);
35062 - if (serial->open_count <= 0) {
35063 - serial->open_count = 0;
35064 + if (local_read(&serial->open_count) <= 0) {
35065 + local_set(&serial->open_count, 0);
35066 spin_lock_irq(&serial->serial_lock);
35067 if (serial->tty == tty) {
35068 serial->tty->driver_data = NULL;
35069 @@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
35071 /* the actual setup */
35072 spin_lock_irqsave(&serial->serial_lock, flags);
35073 - if (serial->open_count)
35074 + if (local_read(&serial->open_count))
35075 _hso_serial_set_termios(tty, old);
35077 tty->termios = old;
35078 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
35079 /* Start all serial ports */
35080 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
35081 if (serial_table[i] && (serial_table[i]->interface == iface)) {
35082 - if (dev2ser(serial_table[i])->open_count) {
35083 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
35085 hso_start_serial_device(serial_table[i], GFP_NOIO);
35086 hso_kick_transmit(dev2ser(serial_table[i]));
35087 diff -urNp linux-2.6.32.43/drivers/net/vxge/vxge-config.h linux-2.6.32.43/drivers/net/vxge/vxge-config.h
35088 --- linux-2.6.32.43/drivers/net/vxge/vxge-config.h 2011-03-27 14:31:47.000000000 -0400
35089 +++ linux-2.6.32.43/drivers/net/vxge/vxge-config.h 2011-08-05 20:33:55.000000000 -0400
35090 @@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
35091 void (*link_down)(struct __vxge_hw_device *devh);
35092 void (*crit_err)(struct __vxge_hw_device *devh,
35093 enum vxge_hw_event type, u64 ext_data);
35098 * struct __vxge_hw_blockpool_entry - Block private data structure
35099 diff -urNp linux-2.6.32.43/drivers/net/vxge/vxge-main.c linux-2.6.32.43/drivers/net/vxge/vxge-main.c
35100 --- linux-2.6.32.43/drivers/net/vxge/vxge-main.c 2011-03-27 14:31:47.000000000 -0400
35101 +++ linux-2.6.32.43/drivers/net/vxge/vxge-main.c 2011-05-16 21:46:57.000000000 -0400
35102 @@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
35103 struct sk_buff *completed[NR_SKB_COMPLETED];
35106 + pax_track_stack();
35110 skb_ptr = completed;
35111 @@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
35112 u8 mtable[256] = {0}; /* CPU to vpath mapping */
35115 + pax_track_stack();
35119 * - itable with bucket numbers
35120 diff -urNp linux-2.6.32.43/drivers/net/vxge/vxge-traffic.h linux-2.6.32.43/drivers/net/vxge/vxge-traffic.h
35121 --- linux-2.6.32.43/drivers/net/vxge/vxge-traffic.h 2011-03-27 14:31:47.000000000 -0400
35122 +++ linux-2.6.32.43/drivers/net/vxge/vxge-traffic.h 2011-08-05 20:33:55.000000000 -0400
35123 @@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
35124 struct vxge_hw_mempool_dma *dma_object,
35131 __vxge_hw_mempool_destroy(
35132 diff -urNp linux-2.6.32.43/drivers/net/wan/cycx_x25.c linux-2.6.32.43/drivers/net/wan/cycx_x25.c
35133 --- linux-2.6.32.43/drivers/net/wan/cycx_x25.c 2011-03-27 14:31:47.000000000 -0400
35134 +++ linux-2.6.32.43/drivers/net/wan/cycx_x25.c 2011-05-16 21:46:57.000000000 -0400
35135 @@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
35136 unsigned char hex[1024],
35139 + pax_track_stack();
35141 if (len >= (sizeof(hex) / 2))
35142 len = (sizeof(hex) / 2) - 1;
35144 diff -urNp linux-2.6.32.43/drivers/net/wan/hdlc_x25.c linux-2.6.32.43/drivers/net/wan/hdlc_x25.c
35145 --- linux-2.6.32.43/drivers/net/wan/hdlc_x25.c 2011-03-27 14:31:47.000000000 -0400
35146 +++ linux-2.6.32.43/drivers/net/wan/hdlc_x25.c 2011-08-05 20:33:55.000000000 -0400
35147 @@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
35149 static int x25_open(struct net_device *dev)
35151 - struct lapb_register_struct cb;
35152 + static struct lapb_register_struct cb = {
35153 + .connect_confirmation = x25_connected,
35154 + .connect_indication = x25_connected,
35155 + .disconnect_confirmation = x25_disconnected,
35156 + .disconnect_indication = x25_disconnected,
35157 + .data_indication = x25_data_indication,
35158 + .data_transmit = x25_data_transmit
35162 - cb.connect_confirmation = x25_connected;
35163 - cb.connect_indication = x25_connected;
35164 - cb.disconnect_confirmation = x25_disconnected;
35165 - cb.disconnect_indication = x25_disconnected;
35166 - cb.data_indication = x25_data_indication;
35167 - cb.data_transmit = x25_data_transmit;
35169 result = lapb_register(dev, &cb);
35170 if (result != LAPB_OK)
35172 diff -urNp linux-2.6.32.43/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.43/drivers/net/wimax/i2400m/usb-fw.c
35173 --- linux-2.6.32.43/drivers/net/wimax/i2400m/usb-fw.c 2011-03-27 14:31:47.000000000 -0400
35174 +++ linux-2.6.32.43/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:46:57.000000000 -0400
35175 @@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
35177 DECLARE_COMPLETION_ONSTACK(notif_completion);
35179 + pax_track_stack();
35181 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
35182 i2400m, ack, ack_size);
35183 BUG_ON(_ack == i2400m->bm_ack_buf);
35184 diff -urNp linux-2.6.32.43/drivers/net/wireless/airo.c linux-2.6.32.43/drivers/net/wireless/airo.c
35185 --- linux-2.6.32.43/drivers/net/wireless/airo.c 2011-03-27 14:31:47.000000000 -0400
35186 +++ linux-2.6.32.43/drivers/net/wireless/airo.c 2011-05-16 21:46:57.000000000 -0400
35187 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
35188 BSSListElement * loop_net;
35189 BSSListElement * tmp_net;
35191 + pax_track_stack();
35193 /* Blow away current list of scan results */
35194 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
35195 list_move_tail (&loop_net->list, &ai->network_free_list);
35196 @@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
35200 + pax_track_stack();
35202 memset( &mySsid, 0, sizeof( mySsid ) );
35205 @@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
35206 __le32 *vals = stats.vals;
35209 + pax_track_stack();
35211 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35213 data = (struct proc_data *)file->private_data;
35214 @@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
35215 /* If doLoseSync is not 1, we won't do a Lose Sync */
35216 int doLoseSync = -1;
35218 + pax_track_stack();
35220 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
35222 data = (struct proc_data *)file->private_data;
35223 @@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
35225 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
35227 + pax_track_stack();
35229 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
35232 @@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
35233 CapabilityRid cap_rid;
35234 __le32 *vals = stats_rid.vals;
35236 + pax_track_stack();
35238 /* Get stats out of the card */
35239 clear_bit(JOB_WSTATS, &local->jobs);
35240 if (local->power.event) {
35241 diff -urNp linux-2.6.32.43/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.43/drivers/net/wireless/ath/ath5k/debug.c
35242 --- linux-2.6.32.43/drivers/net/wireless/ath/ath5k/debug.c 2011-03-27 14:31:47.000000000 -0400
35243 +++ linux-2.6.32.43/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:46:57.000000000 -0400
35244 @@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
35248 + pax_track_stack();
35250 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
35251 len += snprintf(buf+len, sizeof(buf)-len,
35252 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
35253 @@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
35254 unsigned int len = 0;
35257 + pax_track_stack();
35259 len += snprintf(buf+len, sizeof(buf)-len,
35260 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
35262 diff -urNp linux-2.6.32.43/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.43/drivers/net/wireless/ath/ath9k/debug.c
35263 --- linux-2.6.32.43/drivers/net/wireless/ath/ath9k/debug.c 2011-03-27 14:31:47.000000000 -0400
35264 +++ linux-2.6.32.43/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:46:57.000000000 -0400
35265 @@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
35267 unsigned int len = 0;
35269 + pax_track_stack();
35271 len += snprintf(buf + len, sizeof(buf) - len,
35272 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
35273 len += snprintf(buf + len, sizeof(buf) - len,
35274 @@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
35278 + pax_track_stack();
35280 len += snprintf(buf + len, sizeof(buf) - len,
35281 "primary: %s (%s chan=%d ht=%d)\n",
35282 wiphy_name(sc->pri_wiphy->hw->wiphy),
35283 diff -urNp linux-2.6.32.43/drivers/net/wireless/b43/debugfs.c linux-2.6.32.43/drivers/net/wireless/b43/debugfs.c
35284 --- linux-2.6.32.43/drivers/net/wireless/b43/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35285 +++ linux-2.6.32.43/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35286 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
35287 struct b43_debugfs_fops {
35288 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
35289 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
35290 - struct file_operations fops;
35291 + const struct file_operations fops;
35292 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
35293 size_t file_struct_offset;
35295 diff -urNp linux-2.6.32.43/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.43/drivers/net/wireless/b43legacy/debugfs.c
35296 --- linux-2.6.32.43/drivers/net/wireless/b43legacy/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35297 +++ linux-2.6.32.43/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35298 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
35299 struct b43legacy_debugfs_fops {
35300 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
35301 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
35302 - struct file_operations fops;
35303 + const struct file_operations fops;
35304 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
35305 size_t file_struct_offset;
35306 /* Take wl->irq_lock before calling read/write? */
35307 diff -urNp linux-2.6.32.43/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.43/drivers/net/wireless/ipw2x00/ipw2100.c
35308 --- linux-2.6.32.43/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-27 14:31:47.000000000 -0400
35309 +++ linux-2.6.32.43/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:46:57.000000000 -0400
35310 @@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
35312 DECLARE_SSID_BUF(ssid);
35314 + pax_track_stack();
35316 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
35319 @@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
35320 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
35323 + pax_track_stack();
35325 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
35328 diff -urNp linux-2.6.32.43/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.43/drivers/net/wireless/ipw2x00/libipw_rx.c
35329 --- linux-2.6.32.43/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-27 14:31:47.000000000 -0400
35330 +++ linux-2.6.32.43/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:46:57.000000000 -0400
35331 @@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
35332 unsigned long flags;
35333 DECLARE_SSID_BUF(ssid);
35335 + pax_track_stack();
35337 LIBIPW_DEBUG_SCAN("'%s' (%pM"
35338 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
35339 print_ssid(ssid, info_element->data, info_element->len),
35340 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-1000.c
35341 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-03-27 14:31:47.000000000 -0400
35342 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-04-17 15:56:46.000000000 -0400
35343 @@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
35347 -static struct iwl_ops iwl1000_ops = {
35348 +static const struct iwl_ops iwl1000_ops = {
35349 .ucode = &iwl5000_ucode,
35350 .lib = &iwl1000_lib,
35351 .hcmd = &iwl5000_hcmd,
35352 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl3945-base.c
35353 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-03-27 14:31:47.000000000 -0400
35354 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-08-05 20:33:55.000000000 -0400
35355 @@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
35357 if (iwl3945_mod_params.disable_hw_scan) {
35358 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
35359 - iwl3945_hw_ops.hw_scan = NULL;
35360 + pax_open_kernel();
35361 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
35362 + pax_close_kernel();
35366 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-3945.c
35367 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-03-27 14:31:47.000000000 -0400
35368 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-04-17 15:56:46.000000000 -0400
35369 @@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
35370 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
35373 -static struct iwl_ops iwl3945_ops = {
35374 +static const struct iwl_ops iwl3945_ops = {
35375 .ucode = &iwl3945_ucode,
35376 .lib = &iwl3945_lib,
35377 .hcmd = &iwl3945_hcmd,
35378 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-4965.c
35379 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-03-27 14:31:47.000000000 -0400
35380 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-04-17 15:56:46.000000000 -0400
35381 @@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
35385 -static struct iwl_ops iwl4965_ops = {
35386 +static const struct iwl_ops iwl4965_ops = {
35387 .ucode = &iwl4965_ucode,
35388 .lib = &iwl4965_lib,
35389 .hcmd = &iwl4965_hcmd,
35390 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-5000.c
35391 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:55:34.000000000 -0400
35392 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:56:37.000000000 -0400
35393 @@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
35397 -struct iwl_ops iwl5000_ops = {
35398 +const struct iwl_ops iwl5000_ops = {
35399 .ucode = &iwl5000_ucode,
35400 .lib = &iwl5000_lib,
35401 .hcmd = &iwl5000_hcmd,
35402 .utils = &iwl5000_hcmd_utils,
35405 -static struct iwl_ops iwl5150_ops = {
35406 +static const struct iwl_ops iwl5150_ops = {
35407 .ucode = &iwl5000_ucode,
35408 .lib = &iwl5150_lib,
35409 .hcmd = &iwl5000_hcmd,
35410 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-6000.c
35411 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-03-27 14:31:47.000000000 -0400
35412 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-04-17 15:56:46.000000000 -0400
35413 @@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
35414 .calc_rssi = iwl5000_calc_rssi,
35417 -static struct iwl_ops iwl6000_ops = {
35418 +static const struct iwl_ops iwl6000_ops = {
35419 .ucode = &iwl5000_ucode,
35420 .lib = &iwl6000_lib,
35421 .hcmd = &iwl5000_hcmd,
35422 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn.c
35423 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-03-27 14:31:47.000000000 -0400
35424 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-08-05 20:33:55.000000000 -0400
35425 @@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
35426 if (iwl_debug_level & IWL_DL_INFO)
35427 dev_printk(KERN_DEBUG, &(pdev->dev),
35428 "Disabling hw_scan\n");
35429 - iwl_hw_ops.hw_scan = NULL;
35430 + pax_open_kernel();
35431 + *(void **)&iwl_hw_ops.hw_scan = NULL;
35432 + pax_close_kernel();
35435 hw = iwl_alloc_all(cfg, &iwl_hw_ops);
35436 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
35437 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-27 14:31:47.000000000 -0400
35438 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:46:57.000000000 -0400
35439 @@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
35440 u8 active_index = 0;
35443 + pax_track_stack();
35445 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
35447 if (!ieee80211_is_data(hdr->frame_control) ||
35448 @@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
35449 u8 valid_tx_ant = 0;
35450 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
35452 + pax_track_stack();
35454 /* Override starting rate (index 0) if needed for debug purposes */
35455 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
35457 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debugfs.c
35458 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-27 14:31:47.000000000 -0400
35459 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:46:57.000000000 -0400
35460 @@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
35462 const size_t bufsz = sizeof(buf);
35464 + pax_track_stack();
35466 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
35467 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
35468 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
35469 @@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
35470 const size_t bufsz = sizeof(buf);
35473 + pax_track_stack();
35475 for (i = 0; i < AC_NUM; i++) {
35476 pos += scnprintf(buf + pos, bufsz - pos,
35477 "\tcw_min\tcw_max\taifsn\ttxop\n");
35478 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debug.h
35479 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-27 14:31:47.000000000 -0400
35480 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:56:46.000000000 -0400
35481 @@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
35485 -#define IWL_DEBUG(__priv, level, fmt, args...)
35486 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
35487 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
35488 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
35489 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
35492 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-dev.h
35493 --- linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-03-27 14:31:47.000000000 -0400
35494 +++ linux-2.6.32.43/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-04-17 15:56:46.000000000 -0400
35495 @@ -68,7 +68,7 @@ struct iwl_tx_queue;
35497 /* shared structures from iwl-5000.c */
35498 extern struct iwl_mod_params iwl50_mod_params;
35499 -extern struct iwl_ops iwl5000_ops;
35500 +extern const struct iwl_ops iwl5000_ops;
35501 extern struct iwl_ucode_ops iwl5000_ucode;
35502 extern struct iwl_lib_ops iwl5000_lib;
35503 extern struct iwl_hcmd_ops iwl5000_hcmd;
35504 diff -urNp linux-2.6.32.43/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.43/drivers/net/wireless/iwmc3200wifi/debugfs.c
35505 --- linux-2.6.32.43/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35506 +++ linux-2.6.32.43/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:46:57.000000000 -0400
35507 @@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
35511 + pax_track_stack();
35515 if (count < sizeof(buf))
35516 diff -urNp linux-2.6.32.43/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.43/drivers/net/wireless/libertas/debugfs.c
35517 --- linux-2.6.32.43/drivers/net/wireless/libertas/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35518 +++ linux-2.6.32.43/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35519 @@ -708,7 +708,7 @@ out_unlock:
35520 struct lbs_debugfs_files {
35523 - struct file_operations fops;
35524 + const struct file_operations fops;
35527 static const struct lbs_debugfs_files debugfs_files[] = {
35528 diff -urNp linux-2.6.32.43/drivers/net/wireless/rndis_wlan.c linux-2.6.32.43/drivers/net/wireless/rndis_wlan.c
35529 --- linux-2.6.32.43/drivers/net/wireless/rndis_wlan.c 2011-03-27 14:31:47.000000000 -0400
35530 +++ linux-2.6.32.43/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:56:46.000000000 -0400
35531 @@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
35533 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
35535 - if (rts_threshold < 0 || rts_threshold > 2347)
35536 + if (rts_threshold > 2347)
35537 rts_threshold = 2347;
35539 tmp = cpu_to_le32(rts_threshold);
35540 diff -urNp linux-2.6.32.43/drivers/oprofile/buffer_sync.c linux-2.6.32.43/drivers/oprofile/buffer_sync.c
35541 --- linux-2.6.32.43/drivers/oprofile/buffer_sync.c 2011-03-27 14:31:47.000000000 -0400
35542 +++ linux-2.6.32.43/drivers/oprofile/buffer_sync.c 2011-04-17 15:56:46.000000000 -0400
35543 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
35544 if (cookie == NO_COOKIE)
35546 if (cookie == INVALID_COOKIE) {
35547 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
35548 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
35551 if (cookie != last_cookie) {
35552 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
35553 /* add userspace sample */
35556 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
35557 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
35561 cookie = lookup_dcookie(mm, s->eip, &offset);
35563 if (cookie == INVALID_COOKIE) {
35564 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
35565 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
35569 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
35570 /* ignore backtraces if failed to add a sample */
35571 if (state == sb_bt_start) {
35572 state = sb_bt_ignore;
35573 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
35574 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
35578 diff -urNp linux-2.6.32.43/drivers/oprofile/event_buffer.c linux-2.6.32.43/drivers/oprofile/event_buffer.c
35579 --- linux-2.6.32.43/drivers/oprofile/event_buffer.c 2011-03-27 14:31:47.000000000 -0400
35580 +++ linux-2.6.32.43/drivers/oprofile/event_buffer.c 2011-04-17 15:56:46.000000000 -0400
35581 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
35584 if (buffer_pos == buffer_size) {
35585 - atomic_inc(&oprofile_stats.event_lost_overflow);
35586 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
35590 diff -urNp linux-2.6.32.43/drivers/oprofile/oprof.c linux-2.6.32.43/drivers/oprofile/oprof.c
35591 --- linux-2.6.32.43/drivers/oprofile/oprof.c 2011-03-27 14:31:47.000000000 -0400
35592 +++ linux-2.6.32.43/drivers/oprofile/oprof.c 2011-04-17 15:56:46.000000000 -0400
35593 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
35594 if (oprofile_ops.switch_events())
35597 - atomic_inc(&oprofile_stats.multiplex_counter);
35598 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
35599 start_switch_worker();
35602 diff -urNp linux-2.6.32.43/drivers/oprofile/oprofilefs.c linux-2.6.32.43/drivers/oprofile/oprofilefs.c
35603 --- linux-2.6.32.43/drivers/oprofile/oprofilefs.c 2011-03-27 14:31:47.000000000 -0400
35604 +++ linux-2.6.32.43/drivers/oprofile/oprofilefs.c 2011-04-17 15:56:46.000000000 -0400
35605 @@ -187,7 +187,7 @@ static const struct file_operations atom
35608 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
35609 - char const *name, atomic_t *val)
35610 + char const *name, atomic_unchecked_t *val)
35612 struct dentry *d = __oprofilefs_create_file(sb, root, name,
35613 &atomic_ro_fops, 0444);
35614 diff -urNp linux-2.6.32.43/drivers/oprofile/oprofile_stats.c linux-2.6.32.43/drivers/oprofile/oprofile_stats.c
35615 --- linux-2.6.32.43/drivers/oprofile/oprofile_stats.c 2011-03-27 14:31:47.000000000 -0400
35616 +++ linux-2.6.32.43/drivers/oprofile/oprofile_stats.c 2011-04-17 15:56:46.000000000 -0400
35617 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
35618 cpu_buf->sample_invalid_eip = 0;
35621 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
35622 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
35623 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
35624 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
35625 - atomic_set(&oprofile_stats.multiplex_counter, 0);
35626 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
35627 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
35628 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
35629 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
35630 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
35634 diff -urNp linux-2.6.32.43/drivers/oprofile/oprofile_stats.h linux-2.6.32.43/drivers/oprofile/oprofile_stats.h
35635 --- linux-2.6.32.43/drivers/oprofile/oprofile_stats.h 2011-03-27 14:31:47.000000000 -0400
35636 +++ linux-2.6.32.43/drivers/oprofile/oprofile_stats.h 2011-04-17 15:56:46.000000000 -0400
35637 @@ -13,11 +13,11 @@
35638 #include <asm/atomic.h>
35640 struct oprofile_stat_struct {
35641 - atomic_t sample_lost_no_mm;
35642 - atomic_t sample_lost_no_mapping;
35643 - atomic_t bt_lost_no_mapping;
35644 - atomic_t event_lost_overflow;
35645 - atomic_t multiplex_counter;
35646 + atomic_unchecked_t sample_lost_no_mm;
35647 + atomic_unchecked_t sample_lost_no_mapping;
35648 + atomic_unchecked_t bt_lost_no_mapping;
35649 + atomic_unchecked_t event_lost_overflow;
35650 + atomic_unchecked_t multiplex_counter;
35653 extern struct oprofile_stat_struct oprofile_stats;
35654 diff -urNp linux-2.6.32.43/drivers/parisc/pdc_stable.c linux-2.6.32.43/drivers/parisc/pdc_stable.c
35655 --- linux-2.6.32.43/drivers/parisc/pdc_stable.c 2011-03-27 14:31:47.000000000 -0400
35656 +++ linux-2.6.32.43/drivers/parisc/pdc_stable.c 2011-04-17 15:56:46.000000000 -0400
35657 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
35661 -static struct sysfs_ops pdcspath_attr_ops = {
35662 +static const struct sysfs_ops pdcspath_attr_ops = {
35663 .show = pdcspath_attr_show,
35664 .store = pdcspath_attr_store,
35666 diff -urNp linux-2.6.32.43/drivers/parport/procfs.c linux-2.6.32.43/drivers/parport/procfs.c
35667 --- linux-2.6.32.43/drivers/parport/procfs.c 2011-03-27 14:31:47.000000000 -0400
35668 +++ linux-2.6.32.43/drivers/parport/procfs.c 2011-04-17 15:56:46.000000000 -0400
35669 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
35673 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
35674 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
35677 #ifdef CONFIG_PARPORT_1284
35678 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
35682 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
35683 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
35685 #endif /* IEEE1284.3 support. */
35687 diff -urNp linux-2.6.32.43/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.43/drivers/pci/hotplug/acpiphp_glue.c
35688 --- linux-2.6.32.43/drivers/pci/hotplug/acpiphp_glue.c 2011-03-27 14:31:47.000000000 -0400
35689 +++ linux-2.6.32.43/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:56:46.000000000 -0400
35690 @@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
35694 -static struct acpi_dock_ops acpiphp_dock_ops = {
35695 +static const struct acpi_dock_ops acpiphp_dock_ops = {
35696 .handler = handle_hotplug_event_func,
35699 diff -urNp linux-2.6.32.43/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.43/drivers/pci/hotplug/cpci_hotplug.h
35700 --- linux-2.6.32.43/drivers/pci/hotplug/cpci_hotplug.h 2011-03-27 14:31:47.000000000 -0400
35701 +++ linux-2.6.32.43/drivers/pci/hotplug/cpci_hotplug.h 2011-08-05 20:33:55.000000000 -0400
35702 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
35703 int (*hardware_test) (struct slot* slot, u32 value);
35704 u8 (*get_power) (struct slot* slot);
35705 int (*set_power) (struct slot* slot, int value);
35709 struct cpci_hp_controller {
35711 diff -urNp linux-2.6.32.43/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.43/drivers/pci/hotplug/cpqphp_nvram.c
35712 --- linux-2.6.32.43/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-27 14:31:47.000000000 -0400
35713 +++ linux-2.6.32.43/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:56:46.000000000 -0400
35714 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
35716 void compaq_nvram_init (void __iomem *rom_start)
35719 +#ifndef CONFIG_PAX_KERNEXEC
35721 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
35725 dbg("int15 entry = %p\n", compaq_int15_entry_point);
35727 /* initialize our int15 lock */
35728 diff -urNp linux-2.6.32.43/drivers/pci/hotplug/fakephp.c linux-2.6.32.43/drivers/pci/hotplug/fakephp.c
35729 --- linux-2.6.32.43/drivers/pci/hotplug/fakephp.c 2011-03-27 14:31:47.000000000 -0400
35730 +++ linux-2.6.32.43/drivers/pci/hotplug/fakephp.c 2011-04-17 15:56:46.000000000 -0400
35731 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
35734 static struct kobj_type legacy_ktype = {
35735 - .sysfs_ops = &(struct sysfs_ops){
35736 + .sysfs_ops = &(const struct sysfs_ops){
35737 .store = legacy_store, .show = legacy_show
35739 .release = &legacy_release,
35740 diff -urNp linux-2.6.32.43/drivers/pci/intel-iommu.c linux-2.6.32.43/drivers/pci/intel-iommu.c
35741 --- linux-2.6.32.43/drivers/pci/intel-iommu.c 2011-05-10 22:12:01.000000000 -0400
35742 +++ linux-2.6.32.43/drivers/pci/intel-iommu.c 2011-05-10 22:12:33.000000000 -0400
35743 @@ -2643,7 +2643,7 @@ error:
35747 -static dma_addr_t intel_map_page(struct device *dev, struct page *page,
35748 +dma_addr_t intel_map_page(struct device *dev, struct page *page,
35749 unsigned long offset, size_t size,
35750 enum dma_data_direction dir,
35751 struct dma_attrs *attrs)
35752 @@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
35753 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
35756 -static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
35757 +void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
35758 size_t size, enum dma_data_direction dir,
35759 struct dma_attrs *attrs)
35761 @@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
35765 -static void *intel_alloc_coherent(struct device *hwdev, size_t size,
35766 +void *intel_alloc_coherent(struct device *hwdev, size_t size,
35767 dma_addr_t *dma_handle, gfp_t flags)
35770 @@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
35774 -static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
35775 +void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
35776 dma_addr_t dma_handle)
35779 @@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
35780 free_pages((unsigned long)vaddr, order);
35783 -static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
35784 +void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
35785 int nelems, enum dma_data_direction dir,
35786 struct dma_attrs *attrs)
35788 @@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
35792 -static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
35793 +int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
35794 enum dma_data_direction dir, struct dma_attrs *attrs)
35797 @@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
35801 -static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
35802 +int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
35807 -struct dma_map_ops intel_dma_ops = {
35808 +const struct dma_map_ops intel_dma_ops = {
35809 .alloc_coherent = intel_alloc_coherent,
35810 .free_coherent = intel_free_coherent,
35811 .map_sg = intel_map_sg,
35812 diff -urNp linux-2.6.32.43/drivers/pci/pcie/aspm.c linux-2.6.32.43/drivers/pci/pcie/aspm.c
35813 --- linux-2.6.32.43/drivers/pci/pcie/aspm.c 2011-03-27 14:31:47.000000000 -0400
35814 +++ linux-2.6.32.43/drivers/pci/pcie/aspm.c 2011-04-17 15:56:46.000000000 -0400
35816 #define MODULE_PARAM_PREFIX "pcie_aspm."
35818 /* Note: those are not register definitions */
35819 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
35820 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
35821 -#define ASPM_STATE_L1 (4) /* L1 state */
35822 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
35823 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
35824 +#define ASPM_STATE_L1 (4U) /* L1 state */
35825 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
35826 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
35828 diff -urNp linux-2.6.32.43/drivers/pci/probe.c linux-2.6.32.43/drivers/pci/probe.c
35829 --- linux-2.6.32.43/drivers/pci/probe.c 2011-03-27 14:31:47.000000000 -0400
35830 +++ linux-2.6.32.43/drivers/pci/probe.c 2011-04-17 15:56:46.000000000 -0400
35831 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
35835 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
35836 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
35837 struct device_attribute *attr,
35840 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
35843 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
35844 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
35845 struct device_attribute *attr,
35848 diff -urNp linux-2.6.32.43/drivers/pci/proc.c linux-2.6.32.43/drivers/pci/proc.c
35849 --- linux-2.6.32.43/drivers/pci/proc.c 2011-03-27 14:31:47.000000000 -0400
35850 +++ linux-2.6.32.43/drivers/pci/proc.c 2011-04-17 15:56:46.000000000 -0400
35851 @@ -480,7 +480,16 @@ static const struct file_operations proc
35852 static int __init pci_proc_init(void)
35854 struct pci_dev *dev = NULL;
35856 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
35857 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35858 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
35859 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35860 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
35863 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
35865 proc_create("devices", 0, proc_bus_pci_dir,
35866 &proc_bus_pci_dev_operations);
35867 proc_initialized = 1;
35868 diff -urNp linux-2.6.32.43/drivers/pci/slot.c linux-2.6.32.43/drivers/pci/slot.c
35869 --- linux-2.6.32.43/drivers/pci/slot.c 2011-03-27 14:31:47.000000000 -0400
35870 +++ linux-2.6.32.43/drivers/pci/slot.c 2011-04-17 15:56:46.000000000 -0400
35871 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
35872 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
35875 -static struct sysfs_ops pci_slot_sysfs_ops = {
35876 +static const struct sysfs_ops pci_slot_sysfs_ops = {
35877 .show = pci_slot_attr_show,
35878 .store = pci_slot_attr_store,
35880 diff -urNp linux-2.6.32.43/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.43/drivers/pcmcia/pcmcia_ioctl.c
35881 --- linux-2.6.32.43/drivers/pcmcia/pcmcia_ioctl.c 2011-03-27 14:31:47.000000000 -0400
35882 +++ linux-2.6.32.43/drivers/pcmcia/pcmcia_ioctl.c 2011-04-17 15:56:46.000000000 -0400
35883 @@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
35887 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
35888 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
35892 diff -urNp linux-2.6.32.43/drivers/platform/x86/acer-wmi.c linux-2.6.32.43/drivers/platform/x86/acer-wmi.c
35893 --- linux-2.6.32.43/drivers/platform/x86/acer-wmi.c 2011-03-27 14:31:47.000000000 -0400
35894 +++ linux-2.6.32.43/drivers/platform/x86/acer-wmi.c 2011-04-17 15:56:46.000000000 -0400
35895 @@ -918,7 +918,7 @@ static int update_bl_status(struct backl
35899 -static struct backlight_ops acer_bl_ops = {
35900 +static const struct backlight_ops acer_bl_ops = {
35901 .get_brightness = read_brightness,
35902 .update_status = update_bl_status,
35904 diff -urNp linux-2.6.32.43/drivers/platform/x86/asus_acpi.c linux-2.6.32.43/drivers/platform/x86/asus_acpi.c
35905 --- linux-2.6.32.43/drivers/platform/x86/asus_acpi.c 2011-03-27 14:31:47.000000000 -0400
35906 +++ linux-2.6.32.43/drivers/platform/x86/asus_acpi.c 2011-04-17 15:56:46.000000000 -0400
35907 @@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
35911 -static struct backlight_ops asus_backlight_data = {
35912 +static const struct backlight_ops asus_backlight_data = {
35913 .get_brightness = read_brightness,
35914 .update_status = set_brightness_status,
35916 diff -urNp linux-2.6.32.43/drivers/platform/x86/asus-laptop.c linux-2.6.32.43/drivers/platform/x86/asus-laptop.c
35917 --- linux-2.6.32.43/drivers/platform/x86/asus-laptop.c 2011-03-27 14:31:47.000000000 -0400
35918 +++ linux-2.6.32.43/drivers/platform/x86/asus-laptop.c 2011-04-17 15:56:46.000000000 -0400
35919 @@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
35921 static int read_brightness(struct backlight_device *bd);
35922 static int update_bl_status(struct backlight_device *bd);
35923 -static struct backlight_ops asusbl_ops = {
35924 +static const struct backlight_ops asusbl_ops = {
35925 .get_brightness = read_brightness,
35926 .update_status = update_bl_status,
35928 diff -urNp linux-2.6.32.43/drivers/platform/x86/compal-laptop.c linux-2.6.32.43/drivers/platform/x86/compal-laptop.c
35929 --- linux-2.6.32.43/drivers/platform/x86/compal-laptop.c 2011-03-27 14:31:47.000000000 -0400
35930 +++ linux-2.6.32.43/drivers/platform/x86/compal-laptop.c 2011-04-17 15:56:46.000000000 -0400
35931 @@ -163,7 +163,7 @@ static int bl_update_status(struct backl
35932 return set_lcd_level(b->props.brightness);
35935 -static struct backlight_ops compalbl_ops = {
35936 +static const struct backlight_ops compalbl_ops = {
35937 .get_brightness = bl_get_brightness,
35938 .update_status = bl_update_status,
35940 diff -urNp linux-2.6.32.43/drivers/platform/x86/dell-laptop.c linux-2.6.32.43/drivers/platform/x86/dell-laptop.c
35941 --- linux-2.6.32.43/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:01.000000000 -0400
35942 +++ linux-2.6.32.43/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:33.000000000 -0400
35943 @@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
35944 return buffer.output[1];
35947 -static struct backlight_ops dell_ops = {
35948 +static const struct backlight_ops dell_ops = {
35949 .get_brightness = dell_get_intensity,
35950 .update_status = dell_send_intensity,
35952 diff -urNp linux-2.6.32.43/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.43/drivers/platform/x86/eeepc-laptop.c
35953 --- linux-2.6.32.43/drivers/platform/x86/eeepc-laptop.c 2011-03-27 14:31:47.000000000 -0400
35954 +++ linux-2.6.32.43/drivers/platform/x86/eeepc-laptop.c 2011-04-17 15:56:46.000000000 -0400
35955 @@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
35957 static int read_brightness(struct backlight_device *bd);
35958 static int update_bl_status(struct backlight_device *bd);
35959 -static struct backlight_ops eeepcbl_ops = {
35960 +static const struct backlight_ops eeepcbl_ops = {
35961 .get_brightness = read_brightness,
35962 .update_status = update_bl_status,
35964 diff -urNp linux-2.6.32.43/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.43/drivers/platform/x86/fujitsu-laptop.c
35965 --- linux-2.6.32.43/drivers/platform/x86/fujitsu-laptop.c 2011-03-27 14:31:47.000000000 -0400
35966 +++ linux-2.6.32.43/drivers/platform/x86/fujitsu-laptop.c 2011-04-17 15:56:46.000000000 -0400
35967 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
35971 -static struct backlight_ops fujitsubl_ops = {
35972 +static const struct backlight_ops fujitsubl_ops = {
35973 .get_brightness = bl_get_brightness,
35974 .update_status = bl_update_status,
35976 diff -urNp linux-2.6.32.43/drivers/platform/x86/msi-laptop.c linux-2.6.32.43/drivers/platform/x86/msi-laptop.c
35977 --- linux-2.6.32.43/drivers/platform/x86/msi-laptop.c 2011-03-27 14:31:47.000000000 -0400
35978 +++ linux-2.6.32.43/drivers/platform/x86/msi-laptop.c 2011-04-17 15:56:46.000000000 -0400
35979 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
35980 return set_lcd_level(b->props.brightness);
35983 -static struct backlight_ops msibl_ops = {
35984 +static const struct backlight_ops msibl_ops = {
35985 .get_brightness = bl_get_brightness,
35986 .update_status = bl_update_status,
35988 diff -urNp linux-2.6.32.43/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.43/drivers/platform/x86/panasonic-laptop.c
35989 --- linux-2.6.32.43/drivers/platform/x86/panasonic-laptop.c 2011-03-27 14:31:47.000000000 -0400
35990 +++ linux-2.6.32.43/drivers/platform/x86/panasonic-laptop.c 2011-04-17 15:56:46.000000000 -0400
35991 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
35992 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
35995 -static struct backlight_ops pcc_backlight_ops = {
35996 +static const struct backlight_ops pcc_backlight_ops = {
35997 .get_brightness = bl_get,
35998 .update_status = bl_set_status,
36000 diff -urNp linux-2.6.32.43/drivers/platform/x86/sony-laptop.c linux-2.6.32.43/drivers/platform/x86/sony-laptop.c
36001 --- linux-2.6.32.43/drivers/platform/x86/sony-laptop.c 2011-03-27 14:31:47.000000000 -0400
36002 +++ linux-2.6.32.43/drivers/platform/x86/sony-laptop.c 2011-04-17 15:56:46.000000000 -0400
36003 @@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
36006 static struct backlight_device *sony_backlight_device;
36007 -static struct backlight_ops sony_backlight_ops = {
36008 +static const struct backlight_ops sony_backlight_ops = {
36009 .update_status = sony_backlight_update_status,
36010 .get_brightness = sony_backlight_get_brightness,
36012 diff -urNp linux-2.6.32.43/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.43/drivers/platform/x86/thinkpad_acpi.c
36013 --- linux-2.6.32.43/drivers/platform/x86/thinkpad_acpi.c 2011-03-27 14:31:47.000000000 -0400
36014 +++ linux-2.6.32.43/drivers/platform/x86/thinkpad_acpi.c 2011-08-05 20:33:55.000000000 -0400
36015 @@ -2137,7 +2137,7 @@ static int hotkey_mask_get(void)
36019 -void static hotkey_mask_warn_incomplete_mask(void)
36020 +static void hotkey_mask_warn_incomplete_mask(void)
36022 /* log only what the user can fix... */
36023 const u32 wantedmask = hotkey_driver_mask &
36024 @@ -6122,7 +6122,7 @@ static void tpacpi_brightness_notify_cha
36025 BACKLIGHT_UPDATE_HOTKEY);
36028 -static struct backlight_ops ibm_backlight_data = {
36029 +static const struct backlight_ops ibm_backlight_data = {
36030 .get_brightness = brightness_get,
36031 .update_status = brightness_update_status,
36033 diff -urNp linux-2.6.32.43/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.43/drivers/platform/x86/toshiba_acpi.c
36034 --- linux-2.6.32.43/drivers/platform/x86/toshiba_acpi.c 2011-03-27 14:31:47.000000000 -0400
36035 +++ linux-2.6.32.43/drivers/platform/x86/toshiba_acpi.c 2011-04-17 15:56:46.000000000 -0400
36036 @@ -671,7 +671,7 @@ static acpi_status remove_device(void)
36040 -static struct backlight_ops toshiba_backlight_data = {
36041 +static const struct backlight_ops toshiba_backlight_data = {
36042 .get_brightness = get_lcd,
36043 .update_status = set_lcd_status,
36045 diff -urNp linux-2.6.32.43/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.43/drivers/pnp/pnpbios/bioscalls.c
36046 --- linux-2.6.32.43/drivers/pnp/pnpbios/bioscalls.c 2011-03-27 14:31:47.000000000 -0400
36047 +++ linux-2.6.32.43/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:56:46.000000000 -0400
36048 @@ -60,7 +60,7 @@ do { \
36049 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
36052 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
36053 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
36054 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
36057 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
36060 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
36062 + pax_open_kernel();
36063 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
36064 + pax_close_kernel();
36066 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
36067 spin_lock_irqsave(&pnp_bios_lock, flags);
36068 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
36070 spin_unlock_irqrestore(&pnp_bios_lock, flags);
36072 + pax_open_kernel();
36073 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
36074 + pax_close_kernel();
36078 /* If we get here and this is set then the PnP BIOS faulted on us. */
36079 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
36083 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
36084 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
36088 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
36089 pnp_bios_callpoint.offset = header->fields.pm16offset;
36090 pnp_bios_callpoint.segment = PNP_CS16;
36092 + pax_open_kernel();
36094 for_each_possible_cpu(i) {
36095 struct desc_struct *gdt = get_cpu_gdt_table(i);
36097 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
36098 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
36099 (unsigned long)__va(header->fields.pm16dseg));
36102 + pax_close_kernel();
36104 diff -urNp linux-2.6.32.43/drivers/pnp/resource.c linux-2.6.32.43/drivers/pnp/resource.c
36105 --- linux-2.6.32.43/drivers/pnp/resource.c 2011-03-27 14:31:47.000000000 -0400
36106 +++ linux-2.6.32.43/drivers/pnp/resource.c 2011-04-17 15:56:46.000000000 -0400
36107 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
36110 /* check if the resource is valid */
36111 - if (*irq < 0 || *irq > 15)
36115 /* check if the resource is reserved */
36116 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
36119 /* check if the resource is valid */
36120 - if (*dma < 0 || *dma == 4 || *dma > 7)
36121 + if (*dma == 4 || *dma > 7)
36124 /* check if the resource is reserved */
36125 diff -urNp linux-2.6.32.43/drivers/power/bq27x00_battery.c linux-2.6.32.43/drivers/power/bq27x00_battery.c
36126 --- linux-2.6.32.43/drivers/power/bq27x00_battery.c 2011-03-27 14:31:47.000000000 -0400
36127 +++ linux-2.6.32.43/drivers/power/bq27x00_battery.c 2011-08-05 20:33:55.000000000 -0400
36128 @@ -44,7 +44,7 @@ struct bq27x00_device_info;
36129 struct bq27x00_access_methods {
36130 int (*read)(u8 reg, int *rt_value, int b_single,
36131 struct bq27x00_device_info *di);
36135 struct bq27x00_device_info {
36136 struct device *dev;
36137 diff -urNp linux-2.6.32.43/drivers/rtc/rtc-dev.c linux-2.6.32.43/drivers/rtc/rtc-dev.c
36138 --- linux-2.6.32.43/drivers/rtc/rtc-dev.c 2011-03-27 14:31:47.000000000 -0400
36139 +++ linux-2.6.32.43/drivers/rtc/rtc-dev.c 2011-04-17 15:56:46.000000000 -0400
36141 #include <linux/module.h>
36142 #include <linux/rtc.h>
36143 #include <linux/sched.h>
36144 +#include <linux/grsecurity.h>
36145 #include "rtc-core.h"
36147 static dev_t rtc_devt;
36148 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
36149 if (copy_from_user(&tm, uarg, sizeof(tm)))
36152 + gr_log_timechange();
36154 return rtc_set_time(rtc, &tm);
36157 diff -urNp linux-2.6.32.43/drivers/s390/cio/qdio_perf.c linux-2.6.32.43/drivers/s390/cio/qdio_perf.c
36158 --- linux-2.6.32.43/drivers/s390/cio/qdio_perf.c 2011-03-27 14:31:47.000000000 -0400
36159 +++ linux-2.6.32.43/drivers/s390/cio/qdio_perf.c 2011-04-17 15:56:46.000000000 -0400
36160 @@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
36161 static int qdio_perf_proc_show(struct seq_file *m, void *v)
36163 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
36164 - (long)atomic_long_read(&perf_stats.qdio_int));
36165 + (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
36166 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
36167 - (long)atomic_long_read(&perf_stats.pci_int));
36168 + (long)atomic_long_read_unchecked(&perf_stats.pci_int));
36169 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
36170 - (long)atomic_long_read(&perf_stats.thin_int));
36171 + (long)atomic_long_read_unchecked(&perf_stats.thin_int));
36172 seq_printf(m, "\n");
36173 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
36174 - (long)atomic_long_read(&perf_stats.tasklet_inbound));
36175 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
36176 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
36177 - (long)atomic_long_read(&perf_stats.tasklet_outbound));
36178 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
36179 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
36180 - (long)atomic_long_read(&perf_stats.tasklet_thinint),
36181 - (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
36182 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
36183 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
36184 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
36185 - (long)atomic_long_read(&perf_stats.thinint_inbound),
36186 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
36187 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
36188 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
36189 seq_printf(m, "\n");
36190 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
36191 - (long)atomic_long_read(&perf_stats.siga_in));
36192 + (long)atomic_long_read_unchecked(&perf_stats.siga_in));
36193 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
36194 - (long)atomic_long_read(&perf_stats.siga_out));
36195 + (long)atomic_long_read_unchecked(&perf_stats.siga_out));
36196 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
36197 - (long)atomic_long_read(&perf_stats.siga_sync));
36198 + (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
36199 seq_printf(m, "\n");
36200 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
36201 - (long)atomic_long_read(&perf_stats.inbound_handler));
36202 + (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
36203 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
36204 - (long)atomic_long_read(&perf_stats.outbound_handler));
36205 + (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
36206 seq_printf(m, "\n");
36207 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
36208 - (long)atomic_long_read(&perf_stats.fast_requeue));
36209 + (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
36210 seq_printf(m, "Number of outbound target full condition\t: %li\n",
36211 - (long)atomic_long_read(&perf_stats.outbound_target_full));
36212 + (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
36213 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
36214 - (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
36215 + (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
36216 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
36217 - (long)atomic_long_read(&perf_stats.debug_stop_polling));
36218 + (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
36219 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
36220 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
36221 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
36222 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
36223 - (long)atomic_long_read(&perf_stats.debug_eqbs_all),
36224 - (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
36225 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
36226 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
36227 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
36228 - (long)atomic_long_read(&perf_stats.debug_sqbs_all),
36229 - (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
36230 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
36231 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
36232 seq_printf(m, "\n");
36235 diff -urNp linux-2.6.32.43/drivers/s390/cio/qdio_perf.h linux-2.6.32.43/drivers/s390/cio/qdio_perf.h
36236 --- linux-2.6.32.43/drivers/s390/cio/qdio_perf.h 2011-03-27 14:31:47.000000000 -0400
36237 +++ linux-2.6.32.43/drivers/s390/cio/qdio_perf.h 2011-04-17 15:56:46.000000000 -0400
36238 @@ -13,46 +13,46 @@
36240 struct qdio_perf_stats {
36241 /* interrupt handler calls */
36242 - atomic_long_t qdio_int;
36243 - atomic_long_t pci_int;
36244 - atomic_long_t thin_int;
36245 + atomic_long_unchecked_t qdio_int;
36246 + atomic_long_unchecked_t pci_int;
36247 + atomic_long_unchecked_t thin_int;
36250 - atomic_long_t tasklet_inbound;
36251 - atomic_long_t tasklet_outbound;
36252 - atomic_long_t tasklet_thinint;
36253 - atomic_long_t tasklet_thinint_loop;
36254 - atomic_long_t thinint_inbound;
36255 - atomic_long_t thinint_inbound_loop;
36256 - atomic_long_t thinint_inbound_loop2;
36257 + atomic_long_unchecked_t tasklet_inbound;
36258 + atomic_long_unchecked_t tasklet_outbound;
36259 + atomic_long_unchecked_t tasklet_thinint;
36260 + atomic_long_unchecked_t tasklet_thinint_loop;
36261 + atomic_long_unchecked_t thinint_inbound;
36262 + atomic_long_unchecked_t thinint_inbound_loop;
36263 + atomic_long_unchecked_t thinint_inbound_loop2;
36265 /* signal adapter calls */
36266 - atomic_long_t siga_out;
36267 - atomic_long_t siga_in;
36268 - atomic_long_t siga_sync;
36269 + atomic_long_unchecked_t siga_out;
36270 + atomic_long_unchecked_t siga_in;
36271 + atomic_long_unchecked_t siga_sync;
36274 - atomic_long_t inbound_handler;
36275 - atomic_long_t outbound_handler;
36276 - atomic_long_t fast_requeue;
36277 - atomic_long_t outbound_target_full;
36278 + atomic_long_unchecked_t inbound_handler;
36279 + atomic_long_unchecked_t outbound_handler;
36280 + atomic_long_unchecked_t fast_requeue;
36281 + atomic_long_unchecked_t outbound_target_full;
36283 /* for debugging */
36284 - atomic_long_t debug_tl_out_timer;
36285 - atomic_long_t debug_stop_polling;
36286 - atomic_long_t debug_eqbs_all;
36287 - atomic_long_t debug_eqbs_incomplete;
36288 - atomic_long_t debug_sqbs_all;
36289 - atomic_long_t debug_sqbs_incomplete;
36290 + atomic_long_unchecked_t debug_tl_out_timer;
36291 + atomic_long_unchecked_t debug_stop_polling;
36292 + atomic_long_unchecked_t debug_eqbs_all;
36293 + atomic_long_unchecked_t debug_eqbs_incomplete;
36294 + atomic_long_unchecked_t debug_sqbs_all;
36295 + atomic_long_unchecked_t debug_sqbs_incomplete;
36298 extern struct qdio_perf_stats perf_stats;
36299 extern int qdio_performance_stats;
36301 -static inline void qdio_perf_stat_inc(atomic_long_t *count)
36302 +static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
36304 if (qdio_performance_stats)
36305 - atomic_long_inc(count);
36306 + atomic_long_inc_unchecked(count);
36309 int qdio_setup_perf_stats(void);
36310 diff -urNp linux-2.6.32.43/drivers/scsi/aacraid/aacraid.h linux-2.6.32.43/drivers/scsi/aacraid/aacraid.h
36311 --- linux-2.6.32.43/drivers/scsi/aacraid/aacraid.h 2011-03-27 14:31:47.000000000 -0400
36312 +++ linux-2.6.32.43/drivers/scsi/aacraid/aacraid.h 2011-08-05 20:33:55.000000000 -0400
36313 @@ -471,7 +471,7 @@ struct adapter_ops
36314 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
36315 /* Administrative operations */
36316 int (*adapter_comm)(struct aac_dev * dev, int comm);
36321 * Define which interrupt handler needs to be installed
36322 diff -urNp linux-2.6.32.43/drivers/scsi/aacraid/commctrl.c linux-2.6.32.43/drivers/scsi/aacraid/commctrl.c
36323 --- linux-2.6.32.43/drivers/scsi/aacraid/commctrl.c 2011-03-27 14:31:47.000000000 -0400
36324 +++ linux-2.6.32.43/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:46:57.000000000 -0400
36325 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
36326 u32 actual_fibsize64, actual_fibsize = 0;
36329 + pax_track_stack();
36331 if (dev->in_reset) {
36332 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
36333 diff -urNp linux-2.6.32.43/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.43/drivers/scsi/aic94xx/aic94xx_init.c
36334 --- linux-2.6.32.43/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-27 14:31:47.000000000 -0400
36335 +++ linux-2.6.32.43/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:56:46.000000000 -0400
36336 @@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
36337 flash_error_table[i].reason);
36340 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
36341 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
36342 asd_show_update_bios, asd_store_update_bios);
36344 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
36345 diff -urNp linux-2.6.32.43/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.43/drivers/scsi/bfa/bfa_iocfc.h
36346 --- linux-2.6.32.43/drivers/scsi/bfa/bfa_iocfc.h 2011-03-27 14:31:47.000000000 -0400
36347 +++ linux-2.6.32.43/drivers/scsi/bfa/bfa_iocfc.h 2011-08-05 20:33:55.000000000 -0400
36348 @@ -61,7 +61,7 @@ struct bfa_hwif_s {
36349 void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
36350 void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
36351 u32 *nvecs, u32 *maxvec);
36354 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
36356 struct bfa_iocfc_s {
36357 diff -urNp linux-2.6.32.43/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.43/drivers/scsi/bfa/bfa_ioc.h
36358 --- linux-2.6.32.43/drivers/scsi/bfa/bfa_ioc.h 2011-03-27 14:31:47.000000000 -0400
36359 +++ linux-2.6.32.43/drivers/scsi/bfa/bfa_ioc.h 2011-08-05 20:33:55.000000000 -0400
36360 @@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
36361 bfa_ioc_disable_cbfn_t disable_cbfn;
36362 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
36363 bfa_ioc_reset_cbfn_t reset_cbfn;
36368 * Heartbeat failure notification queue element.
36369 diff -urNp linux-2.6.32.43/drivers/scsi/BusLogic.c linux-2.6.32.43/drivers/scsi/BusLogic.c
36370 --- linux-2.6.32.43/drivers/scsi/BusLogic.c 2011-03-27 14:31:47.000000000 -0400
36371 +++ linux-2.6.32.43/drivers/scsi/BusLogic.c 2011-05-16 21:46:57.000000000 -0400
36372 @@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
36373 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
36374 *PrototypeHostAdapter)
36376 + pax_track_stack();
36379 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
36380 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
36381 diff -urNp linux-2.6.32.43/drivers/scsi/dpt_i2o.c linux-2.6.32.43/drivers/scsi/dpt_i2o.c
36382 --- linux-2.6.32.43/drivers/scsi/dpt_i2o.c 2011-03-27 14:31:47.000000000 -0400
36383 +++ linux-2.6.32.43/drivers/scsi/dpt_i2o.c 2011-05-16 21:46:57.000000000 -0400
36384 @@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
36388 + pax_track_stack();
36390 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
36391 // get user msg size in u32s
36392 if(get_user(size, &user_msg[0])){
36393 @@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
36397 + pax_track_stack();
36399 memset(msg, 0 , sizeof(msg));
36400 len = scsi_bufflen(cmd);
36401 direction = 0x00000000;
36402 diff -urNp linux-2.6.32.43/drivers/scsi/eata.c linux-2.6.32.43/drivers/scsi/eata.c
36403 --- linux-2.6.32.43/drivers/scsi/eata.c 2011-03-27 14:31:47.000000000 -0400
36404 +++ linux-2.6.32.43/drivers/scsi/eata.c 2011-05-16 21:46:57.000000000 -0400
36405 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
36406 struct hostdata *ha;
36409 + pax_track_stack();
36411 sprintf(name, "%s%d", driver_name, j);
36413 if (!request_region(port_base, REGION_SIZE, driver_name)) {
36414 diff -urNp linux-2.6.32.43/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.43/drivers/scsi/fcoe/libfcoe.c
36415 --- linux-2.6.32.43/drivers/scsi/fcoe/libfcoe.c 2011-03-27 14:31:47.000000000 -0400
36416 +++ linux-2.6.32.43/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:46:57.000000000 -0400
36417 @@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
36421 + pax_track_stack();
36423 fiph = (struct fip_header *)skb->data;
36424 sub = fiph->fip_subcode;
36425 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
36426 diff -urNp linux-2.6.32.43/drivers/scsi/fnic/fnic_main.c linux-2.6.32.43/drivers/scsi/fnic/fnic_main.c
36427 --- linux-2.6.32.43/drivers/scsi/fnic/fnic_main.c 2011-03-27 14:31:47.000000000 -0400
36428 +++ linux-2.6.32.43/drivers/scsi/fnic/fnic_main.c 2011-08-05 20:33:55.000000000 -0400
36429 @@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
36430 /* Start local port initiatialization */
36433 - lp->tt = fnic_transport_template;
36434 + memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
36436 lp->max_retry_count = fnic->config.flogi_retries;
36437 lp->max_rport_retry_count = fnic->config.plogi_retries;
36438 diff -urNp linux-2.6.32.43/drivers/scsi/gdth.c linux-2.6.32.43/drivers/scsi/gdth.c
36439 --- linux-2.6.32.43/drivers/scsi/gdth.c 2011-03-27 14:31:47.000000000 -0400
36440 +++ linux-2.6.32.43/drivers/scsi/gdth.c 2011-05-16 21:46:57.000000000 -0400
36441 @@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
36445 + pax_track_stack();
36447 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
36449 ha = gdth_find_ha(ldrv.ionode);
36450 @@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
36454 + pax_track_stack();
36456 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
36457 res.number >= MAX_HDRIVES)
36459 @@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
36463 + pax_track_stack();
36465 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
36467 ha = gdth_find_ha(gen.ionode);
36468 @@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
36470 gdth_cmd_str gdtcmd;
36471 char cmnd[MAX_COMMAND_SIZE];
36473 + pax_track_stack();
36475 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
36477 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
36478 diff -urNp linux-2.6.32.43/drivers/scsi/gdth_proc.c linux-2.6.32.43/drivers/scsi/gdth_proc.c
36479 --- linux-2.6.32.43/drivers/scsi/gdth_proc.c 2011-03-27 14:31:47.000000000 -0400
36480 +++ linux-2.6.32.43/drivers/scsi/gdth_proc.c 2011-05-16 21:46:57.000000000 -0400
36481 @@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
36484 char cmnd[MAX_COMMAND_SIZE];
36486 + pax_track_stack();
36488 memset(cmnd, 0xff, 12);
36489 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
36491 @@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
36492 gdth_hget_str *phg;
36493 char cmnd[MAX_COMMAND_SIZE];
36495 + pax_track_stack();
36497 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
36498 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
36499 if (!gdtcmd || !estr)
36500 diff -urNp linux-2.6.32.43/drivers/scsi/hosts.c linux-2.6.32.43/drivers/scsi/hosts.c
36501 --- linux-2.6.32.43/drivers/scsi/hosts.c 2011-03-27 14:31:47.000000000 -0400
36502 +++ linux-2.6.32.43/drivers/scsi/hosts.c 2011-05-04 17:56:28.000000000 -0400
36504 #include "scsi_logging.h"
36507 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
36508 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
36511 static void scsi_host_cls_release(struct device *dev)
36512 @@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
36513 * subtract one because we increment first then return, but we need to
36514 * know what the next host number was before increment
36516 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
36517 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
36518 shost->dma_channel = 0xff;
36520 /* These three are default values which can be overridden */
36521 diff -urNp linux-2.6.32.43/drivers/scsi/ipr.c linux-2.6.32.43/drivers/scsi/ipr.c
36522 --- linux-2.6.32.43/drivers/scsi/ipr.c 2011-03-27 14:31:47.000000000 -0400
36523 +++ linux-2.6.32.43/drivers/scsi/ipr.c 2011-04-17 15:56:46.000000000 -0400
36524 @@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
36528 -static struct ata_port_operations ipr_sata_ops = {
36529 +static const struct ata_port_operations ipr_sata_ops = {
36530 .phy_reset = ipr_ata_phy_reset,
36531 .hardreset = ipr_sata_reset,
36532 .post_internal_cmd = ipr_ata_post_internal,
36533 diff -urNp linux-2.6.32.43/drivers/scsi/ips.h linux-2.6.32.43/drivers/scsi/ips.h
36534 --- linux-2.6.32.43/drivers/scsi/ips.h 2011-03-27 14:31:47.000000000 -0400
36535 +++ linux-2.6.32.43/drivers/scsi/ips.h 2011-08-05 20:33:55.000000000 -0400
36536 @@ -1027,7 +1027,7 @@ typedef struct {
36537 int (*intr)(struct ips_ha *);
36538 void (*enableint)(struct ips_ha *);
36539 uint32_t (*statupd)(struct ips_ha *);
36541 +} __no_const ips_hw_func_t;
36543 typedef struct ips_ha {
36544 uint8_t ha_id[IPS_MAX_CHANNELS+1];
36545 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_disc.c linux-2.6.32.43/drivers/scsi/libfc/fc_disc.c
36546 --- linux-2.6.32.43/drivers/scsi/libfc/fc_disc.c 2011-03-27 14:31:47.000000000 -0400
36547 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_disc.c 2011-08-05 20:33:55.000000000 -0400
36548 @@ -715,16 +715,16 @@ int fc_disc_init(struct fc_lport *lport)
36549 struct fc_disc *disc;
36551 if (!lport->tt.disc_start)
36552 - lport->tt.disc_start = fc_disc_start;
36553 + *(void **)&lport->tt.disc_start = fc_disc_start;
36555 if (!lport->tt.disc_stop)
36556 - lport->tt.disc_stop = fc_disc_stop;
36557 + *(void **)&lport->tt.disc_stop = fc_disc_stop;
36559 if (!lport->tt.disc_stop_final)
36560 - lport->tt.disc_stop_final = fc_disc_stop_final;
36561 + *(void **)&lport->tt.disc_stop_final = fc_disc_stop_final;
36563 if (!lport->tt.disc_recv_req)
36564 - lport->tt.disc_recv_req = fc_disc_recv_req;
36565 + *(void **)&lport->tt.disc_recv_req = fc_disc_recv_req;
36567 disc = &lport->disc;
36568 INIT_DELAYED_WORK(&disc->disc_work, fc_disc_timeout);
36569 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_elsct.c linux-2.6.32.43/drivers/scsi/libfc/fc_elsct.c
36570 --- linux-2.6.32.43/drivers/scsi/libfc/fc_elsct.c 2011-03-27 14:31:47.000000000 -0400
36571 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_elsct.c 2011-08-05 20:33:55.000000000 -0400
36572 @@ -67,7 +67,7 @@ static struct fc_seq *fc_elsct_send(stru
36573 int fc_elsct_init(struct fc_lport *lport)
36575 if (!lport->tt.elsct_send)
36576 - lport->tt.elsct_send = fc_elsct_send;
36577 + *(void **)&lport->tt.elsct_send = fc_elsct_send;
36581 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_exch.c linux-2.6.32.43/drivers/scsi/libfc/fc_exch.c
36582 --- linux-2.6.32.43/drivers/scsi/libfc/fc_exch.c 2011-03-27 14:31:47.000000000 -0400
36583 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_exch.c 2011-08-05 20:33:55.000000000 -0400
36584 @@ -86,12 +86,12 @@ struct fc_exch_mgr {
36585 * all together if not used XXX
36588 - atomic_t no_free_exch;
36589 - atomic_t no_free_exch_xid;
36590 - atomic_t xid_not_found;
36591 - atomic_t xid_busy;
36592 - atomic_t seq_not_found;
36593 - atomic_t non_bls_resp;
36594 + atomic_unchecked_t no_free_exch;
36595 + atomic_unchecked_t no_free_exch_xid;
36596 + atomic_unchecked_t xid_not_found;
36597 + atomic_unchecked_t xid_busy;
36598 + atomic_unchecked_t seq_not_found;
36599 + atomic_unchecked_t non_bls_resp;
36602 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
36603 @@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
36604 /* allocate memory for exchange */
36605 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
36607 - atomic_inc(&mp->stats.no_free_exch);
36608 + atomic_inc_unchecked(&mp->stats.no_free_exch);
36611 memset(ep, 0, sizeof(*ep));
36612 @@ -557,7 +557,7 @@ out:
36615 spin_unlock_bh(&pool->lock);
36616 - atomic_inc(&mp->stats.no_free_exch_xid);
36617 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
36618 mempool_free(ep, mp->ep_pool);
36621 @@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36622 xid = ntohs(fh->fh_ox_id); /* we originated exch */
36623 ep = fc_exch_find(mp, xid);
36625 - atomic_inc(&mp->stats.xid_not_found);
36626 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36627 reject = FC_RJT_OX_ID;
36630 @@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36631 ep = fc_exch_find(mp, xid);
36632 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
36634 - atomic_inc(&mp->stats.xid_busy);
36635 + atomic_inc_unchecked(&mp->stats.xid_busy);
36636 reject = FC_RJT_RX_ID;
36639 @@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36641 xid = ep->xid; /* get our XID */
36643 - atomic_inc(&mp->stats.xid_not_found);
36644 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36645 reject = FC_RJT_RX_ID; /* XID not found */
36648 @@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36651 if (sp->id != fh->fh_seq_id) {
36652 - atomic_inc(&mp->stats.seq_not_found);
36653 + atomic_inc_unchecked(&mp->stats.seq_not_found);
36654 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
36657 @@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
36659 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
36661 - atomic_inc(&mp->stats.xid_not_found);
36662 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36665 if (ep->esb_stat & ESB_ST_COMPLETE) {
36666 - atomic_inc(&mp->stats.xid_not_found);
36667 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36670 if (ep->rxid == FC_XID_UNKNOWN)
36671 ep->rxid = ntohs(fh->fh_rx_id);
36672 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
36673 - atomic_inc(&mp->stats.xid_not_found);
36674 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36677 if (ep->did != ntoh24(fh->fh_s_id) &&
36678 ep->did != FC_FID_FLOGI) {
36679 - atomic_inc(&mp->stats.xid_not_found);
36680 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36684 @@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
36687 if (sp->id != fh->fh_seq_id) {
36688 - atomic_inc(&mp->stats.seq_not_found);
36689 + atomic_inc_unchecked(&mp->stats.seq_not_found);
36693 @@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
36694 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
36697 - atomic_inc(&mp->stats.xid_not_found);
36698 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36700 - atomic_inc(&mp->stats.non_bls_resp);
36701 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
36705 @@ -2027,25 +2027,25 @@ EXPORT_SYMBOL(fc_exch_recv);
36706 int fc_exch_init(struct fc_lport *lp)
36708 if (!lp->tt.seq_start_next)
36709 - lp->tt.seq_start_next = fc_seq_start_next;
36710 + *(void **)&lp->tt.seq_start_next = fc_seq_start_next;
36712 if (!lp->tt.exch_seq_send)
36713 - lp->tt.exch_seq_send = fc_exch_seq_send;
36714 + *(void **)&lp->tt.exch_seq_send = fc_exch_seq_send;
36716 if (!lp->tt.seq_send)
36717 - lp->tt.seq_send = fc_seq_send;
36718 + *(void **)&lp->tt.seq_send = fc_seq_send;
36720 if (!lp->tt.seq_els_rsp_send)
36721 - lp->tt.seq_els_rsp_send = fc_seq_els_rsp_send;
36722 + *(void **)&lp->tt.seq_els_rsp_send = fc_seq_els_rsp_send;
36724 if (!lp->tt.exch_done)
36725 - lp->tt.exch_done = fc_exch_done;
36726 + *(void **)&lp->tt.exch_done = fc_exch_done;
36728 if (!lp->tt.exch_mgr_reset)
36729 - lp->tt.exch_mgr_reset = fc_exch_mgr_reset;
36730 + *(void **)&lp->tt.exch_mgr_reset = fc_exch_mgr_reset;
36732 if (!lp->tt.seq_exch_abort)
36733 - lp->tt.seq_exch_abort = fc_seq_exch_abort;
36734 + *(void **)&lp->tt.seq_exch_abort = fc_seq_exch_abort;
36737 * Initialize fc_cpu_mask and fc_cpu_order. The
36738 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_fcp.c linux-2.6.32.43/drivers/scsi/libfc/fc_fcp.c
36739 --- linux-2.6.32.43/drivers/scsi/libfc/fc_fcp.c 2011-03-27 14:31:47.000000000 -0400
36740 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_fcp.c 2011-08-05 20:33:55.000000000 -0400
36741 @@ -2105,13 +2105,13 @@ int fc_fcp_init(struct fc_lport *lp)
36742 struct fc_fcp_internal *si;
36744 if (!lp->tt.fcp_cmd_send)
36745 - lp->tt.fcp_cmd_send = fc_fcp_cmd_send;
36746 + *(void **)&lp->tt.fcp_cmd_send = fc_fcp_cmd_send;
36748 if (!lp->tt.fcp_cleanup)
36749 - lp->tt.fcp_cleanup = fc_fcp_cleanup;
36750 + *(void **)&lp->tt.fcp_cleanup = fc_fcp_cleanup;
36752 if (!lp->tt.fcp_abort_io)
36753 - lp->tt.fcp_abort_io = fc_fcp_abort_io;
36754 + *(void **)&lp->tt.fcp_abort_io = fc_fcp_abort_io;
36756 si = kzalloc(sizeof(struct fc_fcp_internal), GFP_KERNEL);
36758 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_lport.c linux-2.6.32.43/drivers/scsi/libfc/fc_lport.c
36759 --- linux-2.6.32.43/drivers/scsi/libfc/fc_lport.c 2011-03-27 14:31:47.000000000 -0400
36760 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_lport.c 2011-08-05 20:33:55.000000000 -0400
36761 @@ -569,7 +569,7 @@ int fc_lport_destroy(struct fc_lport *lp
36762 mutex_lock(&lport->lp_mutex);
36763 lport->state = LPORT_ST_DISABLED;
36764 lport->link_up = 0;
36765 - lport->tt.frame_send = fc_frame_drop;
36766 + *(void **)&lport->tt.frame_send = fc_frame_drop;
36767 mutex_unlock(&lport->lp_mutex);
36769 lport->tt.fcp_abort_io(lport);
36770 @@ -1477,10 +1477,10 @@ EXPORT_SYMBOL(fc_lport_config);
36771 int fc_lport_init(struct fc_lport *lport)
36773 if (!lport->tt.lport_recv)
36774 - lport->tt.lport_recv = fc_lport_recv_req;
36775 + *(void **)&lport->tt.lport_recv = fc_lport_recv_req;
36777 if (!lport->tt.lport_reset)
36778 - lport->tt.lport_reset = fc_lport_reset;
36779 + *(void **)&lport->tt.lport_reset = fc_lport_reset;
36781 fc_host_port_type(lport->host) = FC_PORTTYPE_NPORT;
36782 fc_host_node_name(lport->host) = lport->wwnn;
36783 diff -urNp linux-2.6.32.43/drivers/scsi/libfc/fc_rport.c linux-2.6.32.43/drivers/scsi/libfc/fc_rport.c
36784 --- linux-2.6.32.43/drivers/scsi/libfc/fc_rport.c 2011-03-27 14:31:47.000000000 -0400
36785 +++ linux-2.6.32.43/drivers/scsi/libfc/fc_rport.c 2011-08-05 20:33:55.000000000 -0400
36786 @@ -1566,25 +1566,25 @@ static void fc_rport_flush_queue(void)
36787 int fc_rport_init(struct fc_lport *lport)
36789 if (!lport->tt.rport_lookup)
36790 - lport->tt.rport_lookup = fc_rport_lookup;
36791 + *(void **)&lport->tt.rport_lookup = fc_rport_lookup;
36793 if (!lport->tt.rport_create)
36794 - lport->tt.rport_create = fc_rport_create;
36795 + *(void **)&lport->tt.rport_create = fc_rport_create;
36797 if (!lport->tt.rport_login)
36798 - lport->tt.rport_login = fc_rport_login;
36799 + *(void **)&lport->tt.rport_login = fc_rport_login;
36801 if (!lport->tt.rport_logoff)
36802 - lport->tt.rport_logoff = fc_rport_logoff;
36803 + *(void **)&lport->tt.rport_logoff = fc_rport_logoff;
36805 if (!lport->tt.rport_recv_req)
36806 - lport->tt.rport_recv_req = fc_rport_recv_req;
36807 + *(void **)&lport->tt.rport_recv_req = fc_rport_recv_req;
36809 if (!lport->tt.rport_flush_queue)
36810 - lport->tt.rport_flush_queue = fc_rport_flush_queue;
36811 + *(void **)&lport->tt.rport_flush_queue = fc_rport_flush_queue;
36813 if (!lport->tt.rport_destroy)
36814 - lport->tt.rport_destroy = fc_rport_destroy;
36815 + *(void **)&lport->tt.rport_destroy = fc_rport_destroy;
36819 diff -urNp linux-2.6.32.43/drivers/scsi/libsas/sas_ata.c linux-2.6.32.43/drivers/scsi/libsas/sas_ata.c
36820 --- linux-2.6.32.43/drivers/scsi/libsas/sas_ata.c 2011-03-27 14:31:47.000000000 -0400
36821 +++ linux-2.6.32.43/drivers/scsi/libsas/sas_ata.c 2011-04-23 12:56:11.000000000 -0400
36822 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
36826 -static struct ata_port_operations sas_sata_ops = {
36827 +static const struct ata_port_operations sas_sata_ops = {
36828 .phy_reset = sas_ata_phy_reset,
36829 .post_internal_cmd = sas_ata_post_internal,
36830 .qc_defer = ata_std_qc_defer,
36831 diff -urNp linux-2.6.32.43/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.43/drivers/scsi/lpfc/lpfc_debugfs.c
36832 --- linux-2.6.32.43/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-27 14:31:47.000000000 -0400
36833 +++ linux-2.6.32.43/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:46:57.000000000 -0400
36834 @@ -124,7 +124,7 @@ struct lpfc_debug {
36838 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
36839 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
36840 static unsigned long lpfc_debugfs_start_time = 0L;
36843 @@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
36844 lpfc_debugfs_enable = 0;
36847 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
36848 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
36849 (lpfc_debugfs_max_disc_trc - 1);
36850 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
36851 dtp = vport->disc_trc + i;
36852 @@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
36853 lpfc_debugfs_enable = 0;
36856 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
36857 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
36858 (lpfc_debugfs_max_slow_ring_trc - 1);
36859 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
36860 dtp = phba->slow_ring_trc + i;
36861 @@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
36865 + pax_track_stack();
36868 spin_lock_irq(&phba->hbalock);
36870 @@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
36871 !vport || !vport->disc_trc)
36874 - index = atomic_inc_return(&vport->disc_trc_cnt) &
36875 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
36876 (lpfc_debugfs_max_disc_trc - 1);
36877 dtp = vport->disc_trc + index;
36879 dtp->data1 = data1;
36880 dtp->data2 = data2;
36881 dtp->data3 = data3;
36882 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
36883 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
36884 dtp->jif = jiffies;
36887 @@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
36888 !phba || !phba->slow_ring_trc)
36891 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
36892 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
36893 (lpfc_debugfs_max_slow_ring_trc - 1);
36894 dtp = phba->slow_ring_trc + index;
36896 dtp->data1 = data1;
36897 dtp->data2 = data2;
36898 dtp->data3 = data3;
36899 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
36900 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
36901 dtp->jif = jiffies;
36904 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
36905 "slow_ring buffer\n");
36908 - atomic_set(&phba->slow_ring_trc_cnt, 0);
36909 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
36910 memset(phba->slow_ring_trc, 0,
36911 (sizeof(struct lpfc_debugfs_trc) *
36912 lpfc_debugfs_max_slow_ring_trc));
36913 @@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
36917 - atomic_set(&vport->disc_trc_cnt, 0);
36918 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
36920 snprintf(name, sizeof(name), "discovery_trace");
36921 vport->debug_disc_trc =
36922 diff -urNp linux-2.6.32.43/drivers/scsi/lpfc/lpfc.h linux-2.6.32.43/drivers/scsi/lpfc/lpfc.h
36923 --- linux-2.6.32.43/drivers/scsi/lpfc/lpfc.h 2011-03-27 14:31:47.000000000 -0400
36924 +++ linux-2.6.32.43/drivers/scsi/lpfc/lpfc.h 2011-05-04 17:56:28.000000000 -0400
36925 @@ -400,7 +400,7 @@ struct lpfc_vport {
36926 struct dentry *debug_nodelist;
36927 struct dentry *vport_debugfs_root;
36928 struct lpfc_debugfs_trc *disc_trc;
36929 - atomic_t disc_trc_cnt;
36930 + atomic_unchecked_t disc_trc_cnt;
36932 uint8_t stat_data_enabled;
36933 uint8_t stat_data_blocked;
36934 @@ -725,8 +725,8 @@ struct lpfc_hba {
36935 struct timer_list fabric_block_timer;
36936 unsigned long bit_flags;
36937 #define FABRIC_COMANDS_BLOCKED 0
36938 - atomic_t num_rsrc_err;
36939 - atomic_t num_cmd_success;
36940 + atomic_unchecked_t num_rsrc_err;
36941 + atomic_unchecked_t num_cmd_success;
36942 unsigned long last_rsrc_error_time;
36943 unsigned long last_ramp_down_time;
36944 unsigned long last_ramp_up_time;
36945 @@ -740,7 +740,7 @@ struct lpfc_hba {
36946 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
36947 struct dentry *debug_slow_ring_trc;
36948 struct lpfc_debugfs_trc *slow_ring_trc;
36949 - atomic_t slow_ring_trc_cnt;
36950 + atomic_unchecked_t slow_ring_trc_cnt;
36953 /* Used for deferred freeing of ELS data buffers */
36954 diff -urNp linux-2.6.32.43/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.43/drivers/scsi/lpfc/lpfc_init.c
36955 --- linux-2.6.32.43/drivers/scsi/lpfc/lpfc_init.c 2011-03-27 14:31:47.000000000 -0400
36956 +++ linux-2.6.32.43/drivers/scsi/lpfc/lpfc_init.c 2011-08-05 20:33:55.000000000 -0400
36957 @@ -8021,8 +8021,10 @@ lpfc_init(void)
36958 printk(LPFC_COPYRIGHT "\n");
36960 if (lpfc_enable_npiv) {
36961 - lpfc_transport_functions.vport_create = lpfc_vport_create;
36962 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
36963 + pax_open_kernel();
36964 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
36965 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
36966 + pax_close_kernel();
36968 lpfc_transport_template =
36969 fc_attach_transport(&lpfc_transport_functions);
36970 diff -urNp linux-2.6.32.43/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.43/drivers/scsi/lpfc/lpfc_scsi.c
36971 --- linux-2.6.32.43/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-27 14:31:47.000000000 -0400
36972 +++ linux-2.6.32.43/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-04 17:56:28.000000000 -0400
36973 @@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
36974 uint32_t evt_posted;
36976 spin_lock_irqsave(&phba->hbalock, flags);
36977 - atomic_inc(&phba->num_rsrc_err);
36978 + atomic_inc_unchecked(&phba->num_rsrc_err);
36979 phba->last_rsrc_error_time = jiffies;
36981 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
36982 @@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
36983 unsigned long flags;
36984 struct lpfc_hba *phba = vport->phba;
36985 uint32_t evt_posted;
36986 - atomic_inc(&phba->num_cmd_success);
36987 + atomic_inc_unchecked(&phba->num_cmd_success);
36989 if (vport->cfg_lun_queue_depth <= queue_depth)
36991 @@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
36993 struct lpfc_rport_data *rdata;
36995 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
36996 - num_cmd_success = atomic_read(&phba->num_cmd_success);
36997 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
36998 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
37000 vports = lpfc_create_vport_work_array(phba);
37001 if (vports != NULL)
37002 @@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
37005 lpfc_destroy_vport_work_array(phba, vports);
37006 - atomic_set(&phba->num_rsrc_err, 0);
37007 - atomic_set(&phba->num_cmd_success, 0);
37008 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
37009 + atomic_set_unchecked(&phba->num_cmd_success, 0);
37013 @@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
37016 lpfc_destroy_vport_work_array(phba, vports);
37017 - atomic_set(&phba->num_rsrc_err, 0);
37018 - atomic_set(&phba->num_cmd_success, 0);
37019 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
37020 + atomic_set_unchecked(&phba->num_cmd_success, 0);
37024 diff -urNp linux-2.6.32.43/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.43/drivers/scsi/megaraid/megaraid_mbox.c
37025 --- linux-2.6.32.43/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-27 14:31:47.000000000 -0400
37026 +++ linux-2.6.32.43/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:46:57.000000000 -0400
37027 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
37031 + pax_track_stack();
37033 // Allocate memory for the base list of scb for management module.
37034 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
37036 diff -urNp linux-2.6.32.43/drivers/scsi/osd/osd_initiator.c linux-2.6.32.43/drivers/scsi/osd/osd_initiator.c
37037 --- linux-2.6.32.43/drivers/scsi/osd/osd_initiator.c 2011-03-27 14:31:47.000000000 -0400
37038 +++ linux-2.6.32.43/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:46:57.000000000 -0400
37039 @@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
37040 int nelem = ARRAY_SIZE(get_attrs), a = 0;
37043 + pax_track_stack();
37045 or = osd_start_request(od, GFP_KERNEL);
37048 diff -urNp linux-2.6.32.43/drivers/scsi/pmcraid.c linux-2.6.32.43/drivers/scsi/pmcraid.c
37049 --- linux-2.6.32.43/drivers/scsi/pmcraid.c 2011-05-10 22:12:01.000000000 -0400
37050 +++ linux-2.6.32.43/drivers/scsi/pmcraid.c 2011-05-10 22:12:33.000000000 -0400
37051 @@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
37052 res->scsi_dev = scsi_dev;
37053 scsi_dev->hostdata = res;
37054 res->change_detected = 0;
37055 - atomic_set(&res->read_failures, 0);
37056 - atomic_set(&res->write_failures, 0);
37057 + atomic_set_unchecked(&res->read_failures, 0);
37058 + atomic_set_unchecked(&res->write_failures, 0);
37061 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
37062 @@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
37064 /* If this was a SCSI read/write command keep count of errors */
37065 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
37066 - atomic_inc(&res->read_failures);
37067 + atomic_inc_unchecked(&res->read_failures);
37068 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
37069 - atomic_inc(&res->write_failures);
37070 + atomic_inc_unchecked(&res->write_failures);
37072 if (!RES_IS_GSCSI(res->cfg_entry) &&
37073 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
37074 @@ -4113,7 +4113,7 @@ static void pmcraid_worker_function(stru
37076 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
37077 /* add resources only after host is added into system */
37078 - if (!atomic_read(&pinstance->expose_resources))
37079 + if (!atomic_read_unchecked(&pinstance->expose_resources))
37082 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
37083 @@ -4847,7 +4847,7 @@ static int __devinit pmcraid_init_instan
37084 init_waitqueue_head(&pinstance->reset_wait_q);
37086 atomic_set(&pinstance->outstanding_cmds, 0);
37087 - atomic_set(&pinstance->expose_resources, 0);
37088 + atomic_set_unchecked(&pinstance->expose_resources, 0);
37090 INIT_LIST_HEAD(&pinstance->free_res_q);
37091 INIT_LIST_HEAD(&pinstance->used_res_q);
37092 @@ -5499,7 +5499,7 @@ static int __devinit pmcraid_probe(
37093 /* Schedule worker thread to handle CCN and take care of adding and
37094 * removing devices to OS
37096 - atomic_set(&pinstance->expose_resources, 1);
37097 + atomic_set_unchecked(&pinstance->expose_resources, 1);
37098 schedule_work(&pinstance->worker_q);
37101 diff -urNp linux-2.6.32.43/drivers/scsi/pmcraid.h linux-2.6.32.43/drivers/scsi/pmcraid.h
37102 --- linux-2.6.32.43/drivers/scsi/pmcraid.h 2011-03-27 14:31:47.000000000 -0400
37103 +++ linux-2.6.32.43/drivers/scsi/pmcraid.h 2011-05-04 17:56:28.000000000 -0400
37104 @@ -690,7 +690,7 @@ struct pmcraid_instance {
37105 atomic_t outstanding_cmds;
37107 /* should add/delete resources to mid-layer now ?*/
37108 - atomic_t expose_resources;
37109 + atomic_unchecked_t expose_resources;
37111 /* Tasklet to handle deferred processing */
37112 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
37113 @@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
37114 struct list_head queue; /* link to "to be exposed" resources */
37115 struct pmcraid_config_table_entry cfg_entry;
37116 struct scsi_device *scsi_dev; /* Link scsi_device structure */
37117 - atomic_t read_failures; /* count of failed READ commands */
37118 - atomic_t write_failures; /* count of failed WRITE commands */
37119 + atomic_unchecked_t read_failures; /* count of failed READ commands */
37120 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
37122 /* To indicate add/delete/modify during CCN */
37123 u8 change_detected;
37124 diff -urNp linux-2.6.32.43/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.43/drivers/scsi/qla2xxx/qla_def.h
37125 --- linux-2.6.32.43/drivers/scsi/qla2xxx/qla_def.h 2011-03-27 14:31:47.000000000 -0400
37126 +++ linux-2.6.32.43/drivers/scsi/qla2xxx/qla_def.h 2011-08-05 20:33:55.000000000 -0400
37127 @@ -2089,7 +2089,7 @@ struct isp_operations {
37129 int (*get_flash_version) (struct scsi_qla_host *, void *);
37130 int (*start_scsi) (srb_t *);
37134 /* MSI-X Support *************************************************************/
37136 diff -urNp linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_def.h
37137 --- linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_def.h 2011-03-27 14:31:47.000000000 -0400
37138 +++ linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_def.h 2011-05-04 17:56:28.000000000 -0400
37139 @@ -240,7 +240,7 @@ struct ddb_entry {
37140 atomic_t retry_relogin_timer; /* Min Time between relogins
37142 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
37143 - atomic_t relogin_retry_count; /* Num of times relogin has been
37144 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
37148 diff -urNp linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_init.c
37149 --- linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_init.c 2011-03-27 14:31:47.000000000 -0400
37150 +++ linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_init.c 2011-05-04 17:56:28.000000000 -0400
37151 @@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
37152 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
37153 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
37154 atomic_set(&ddb_entry->relogin_timer, 0);
37155 - atomic_set(&ddb_entry->relogin_retry_count, 0);
37156 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
37157 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
37158 list_add_tail(&ddb_entry->list, &ha->ddb_list);
37159 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
37160 @@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
37161 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
37162 atomic_set(&ddb_entry->port_down_timer,
37163 ha->port_down_retry_count);
37164 - atomic_set(&ddb_entry->relogin_retry_count, 0);
37165 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
37166 atomic_set(&ddb_entry->relogin_timer, 0);
37167 clear_bit(DF_RELOGIN, &ddb_entry->flags);
37168 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
37169 diff -urNp linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_os.c
37170 --- linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_os.c 2011-03-27 14:31:47.000000000 -0400
37171 +++ linux-2.6.32.43/drivers/scsi/qla4xxx/ql4_os.c 2011-05-04 17:56:28.000000000 -0400
37172 @@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
37173 ddb_entry->fw_ddb_device_state ==
37174 DDB_DS_SESSION_FAILED) {
37175 /* Reset retry relogin timer */
37176 - atomic_inc(&ddb_entry->relogin_retry_count);
37177 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
37178 DEBUG2(printk("scsi%ld: index[%d] relogin"
37179 " timed out-retrying"
37182 ddb_entry->fw_ddb_index,
37183 - atomic_read(&ddb_entry->
37184 + atomic_read_unchecked(&ddb_entry->
37185 relogin_retry_count))
37188 diff -urNp linux-2.6.32.43/drivers/scsi/scsi.c linux-2.6.32.43/drivers/scsi/scsi.c
37189 --- linux-2.6.32.43/drivers/scsi/scsi.c 2011-03-27 14:31:47.000000000 -0400
37190 +++ linux-2.6.32.43/drivers/scsi/scsi.c 2011-05-04 17:56:28.000000000 -0400
37191 @@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
37192 unsigned long timeout;
37195 - atomic_inc(&cmd->device->iorequest_cnt);
37196 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
37198 /* check if the device is still usable */
37199 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
37200 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_debug.c linux-2.6.32.43/drivers/scsi/scsi_debug.c
37201 --- linux-2.6.32.43/drivers/scsi/scsi_debug.c 2011-03-27 14:31:47.000000000 -0400
37202 +++ linux-2.6.32.43/drivers/scsi/scsi_debug.c 2011-05-16 21:46:57.000000000 -0400
37203 @@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
37204 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
37205 unsigned char *cmd = (unsigned char *)scp->cmnd;
37207 + pax_track_stack();
37209 if ((errsts = check_readiness(scp, 1, devip)))
37211 memset(arr, 0, sizeof(arr));
37212 @@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
37213 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
37214 unsigned char *cmd = (unsigned char *)scp->cmnd;
37216 + pax_track_stack();
37218 if ((errsts = check_readiness(scp, 1, devip)))
37220 memset(arr, 0, sizeof(arr));
37221 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_lib.c linux-2.6.32.43/drivers/scsi/scsi_lib.c
37222 --- linux-2.6.32.43/drivers/scsi/scsi_lib.c 2011-05-10 22:12:01.000000000 -0400
37223 +++ linux-2.6.32.43/drivers/scsi/scsi_lib.c 2011-05-10 22:12:33.000000000 -0400
37224 @@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
37226 scsi_init_cmd_errh(cmd);
37227 cmd->result = DID_NO_CONNECT << 16;
37228 - atomic_inc(&cmd->device->iorequest_cnt);
37229 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
37232 * SCSI request completion path will do scsi_device_unbusy(),
37233 @@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
37235 cmd->serial_number = 0;
37237 - atomic_inc(&cmd->device->iodone_cnt);
37238 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
37240 - atomic_inc(&cmd->device->ioerr_cnt);
37241 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
37243 disposition = scsi_decide_disposition(cmd);
37244 if (disposition != SUCCESS &&
37245 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_sysfs.c linux-2.6.32.43/drivers/scsi/scsi_sysfs.c
37246 --- linux-2.6.32.43/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:34.000000000 -0400
37247 +++ linux-2.6.32.43/drivers/scsi/scsi_sysfs.c 2011-06-25 12:56:37.000000000 -0400
37248 @@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
37251 struct scsi_device *sdev = to_scsi_device(dev); \
37252 - unsigned long long count = atomic_read(&sdev->field); \
37253 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
37254 return snprintf(buf, 20, "0x%llx\n", count); \
37256 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
37257 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_transport_fc.c linux-2.6.32.43/drivers/scsi/scsi_transport_fc.c
37258 --- linux-2.6.32.43/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400
37259 +++ linux-2.6.32.43/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400
37260 @@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
37261 * Netlink Infrastructure
37264 -static atomic_t fc_event_seq;
37265 +static atomic_unchecked_t fc_event_seq;
37268 * fc_get_event_number - Obtain the next sequential FC event number
37269 @@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
37271 fc_get_event_number(void)
37273 - return atomic_add_return(1, &fc_event_seq);
37274 + return atomic_add_return_unchecked(1, &fc_event_seq);
37276 EXPORT_SYMBOL(fc_get_event_number);
37278 @@ -641,7 +641,7 @@ static __init int fc_transport_init(void
37282 - atomic_set(&fc_event_seq, 0);
37283 + atomic_set_unchecked(&fc_event_seq, 0);
37285 error = transport_class_register(&fc_host_class);
37287 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.43/drivers/scsi/scsi_transport_iscsi.c
37288 --- linux-2.6.32.43/drivers/scsi/scsi_transport_iscsi.c 2011-03-27 14:31:47.000000000 -0400
37289 +++ linux-2.6.32.43/drivers/scsi/scsi_transport_iscsi.c 2011-05-04 17:56:28.000000000 -0400
37290 @@ -81,7 +81,7 @@ struct iscsi_internal {
37291 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
37294 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
37295 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
37296 static struct workqueue_struct *iscsi_eh_timer_workq;
37299 @@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
37302 ihost = shost->shost_data;
37303 - session->sid = atomic_add_return(1, &iscsi_session_nr);
37304 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
37306 if (id == ISCSI_MAX_TARGET) {
37307 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
37308 @@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
37309 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
37310 ISCSI_TRANSPORT_VERSION);
37312 - atomic_set(&iscsi_session_nr, 0);
37313 + atomic_set_unchecked(&iscsi_session_nr, 0);
37315 err = class_register(&iscsi_transport_class);
37317 diff -urNp linux-2.6.32.43/drivers/scsi/scsi_transport_srp.c linux-2.6.32.43/drivers/scsi/scsi_transport_srp.c
37318 --- linux-2.6.32.43/drivers/scsi/scsi_transport_srp.c 2011-03-27 14:31:47.000000000 -0400
37319 +++ linux-2.6.32.43/drivers/scsi/scsi_transport_srp.c 2011-05-04 17:56:28.000000000 -0400
37321 #include "scsi_transport_srp_internal.h"
37323 struct srp_host_attrs {
37324 - atomic_t next_port_id;
37325 + atomic_unchecked_t next_port_id;
37327 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
37329 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
37330 struct Scsi_Host *shost = dev_to_shost(dev);
37331 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
37333 - atomic_set(&srp_host->next_port_id, 0);
37334 + atomic_set_unchecked(&srp_host->next_port_id, 0);
37338 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
37339 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
37340 rport->roles = ids->roles;
37342 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
37343 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
37344 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
37346 transport_setup_device(&rport->dev);
37347 diff -urNp linux-2.6.32.43/drivers/scsi/sg.c linux-2.6.32.43/drivers/scsi/sg.c
37348 --- linux-2.6.32.43/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400
37349 +++ linux-2.6.32.43/drivers/scsi/sg.c 2011-04-17 15:56:46.000000000 -0400
37350 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
37351 const struct file_operations * fops;
37354 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
37355 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
37356 {"allow_dio", &adio_fops},
37357 {"debug", &debug_fops},
37358 {"def_reserved_size", &dressz_fops},
37359 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
37362 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
37363 - struct sg_proc_leaf * leaf;
37364 + const struct sg_proc_leaf * leaf;
37366 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
37368 diff -urNp linux-2.6.32.43/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.43/drivers/scsi/sym53c8xx_2/sym_glue.c
37369 --- linux-2.6.32.43/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-27 14:31:47.000000000 -0400
37370 +++ linux-2.6.32.43/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:46:57.000000000 -0400
37371 @@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
37372 int do_iounmap = 0;
37373 int do_disable_device = 1;
37375 + pax_track_stack();
37377 memset(&sym_dev, 0, sizeof(sym_dev));
37378 memset(&nvram, 0, sizeof(nvram));
37379 sym_dev.pdev = pdev;
37380 diff -urNp linux-2.6.32.43/drivers/serial/kgdboc.c linux-2.6.32.43/drivers/serial/kgdboc.c
37381 --- linux-2.6.32.43/drivers/serial/kgdboc.c 2011-03-27 14:31:47.000000000 -0400
37382 +++ linux-2.6.32.43/drivers/serial/kgdboc.c 2011-04-17 15:56:46.000000000 -0400
37385 #define MAX_CONFIG_LEN 40
37387 -static struct kgdb_io kgdboc_io_ops;
37388 +static const struct kgdb_io kgdboc_io_ops;
37390 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
37391 static int configured = -1;
37392 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
37393 module_put(THIS_MODULE);
37396 -static struct kgdb_io kgdboc_io_ops = {
37397 +static const struct kgdb_io kgdboc_io_ops = {
37399 .read_char = kgdboc_get_char,
37400 .write_char = kgdboc_put_char,
37401 diff -urNp linux-2.6.32.43/drivers/spi/spi.c linux-2.6.32.43/drivers/spi/spi.c
37402 --- linux-2.6.32.43/drivers/spi/spi.c 2011-03-27 14:31:47.000000000 -0400
37403 +++ linux-2.6.32.43/drivers/spi/spi.c 2011-05-04 17:56:28.000000000 -0400
37404 @@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
37405 EXPORT_SYMBOL_GPL(spi_sync);
37407 /* portable code must never pass more than 32 bytes */
37408 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
37409 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
37413 diff -urNp linux-2.6.32.43/drivers/ssb/driver_gige.c linux-2.6.32.43/drivers/ssb/driver_gige.c
37414 --- linux-2.6.32.43/drivers/ssb/driver_gige.c 2011-03-27 14:31:47.000000000 -0400
37415 +++ linux-2.6.32.43/drivers/ssb/driver_gige.c 2011-08-05 20:33:55.000000000 -0400
37416 @@ -180,8 +180,8 @@ static int ssb_gige_probe(struct ssb_dev
37417 dev->pci_controller.io_resource = &dev->io_resource;
37418 dev->pci_controller.mem_resource = &dev->mem_resource;
37419 dev->pci_controller.io_map_base = 0x800;
37420 - dev->pci_ops.read = ssb_gige_pci_read_config;
37421 - dev->pci_ops.write = ssb_gige_pci_write_config;
37422 + *(void **)&dev->pci_ops.read = ssb_gige_pci_read_config;
37423 + *(void **)&dev->pci_ops.write = ssb_gige_pci_write_config;
37425 dev->io_resource.name = SSB_GIGE_IO_RES_NAME;
37426 dev->io_resource.start = 0x800;
37427 diff -urNp linux-2.6.32.43/drivers/staging/android/binder.c linux-2.6.32.43/drivers/staging/android/binder.c
37428 --- linux-2.6.32.43/drivers/staging/android/binder.c 2011-03-27 14:31:47.000000000 -0400
37429 +++ linux-2.6.32.43/drivers/staging/android/binder.c 2011-04-17 15:56:46.000000000 -0400
37430 @@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
37431 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
37434 -static struct vm_operations_struct binder_vm_ops = {
37435 +static const struct vm_operations_struct binder_vm_ops = {
37436 .open = binder_vma_open,
37437 .close = binder_vma_close,
37439 diff -urNp linux-2.6.32.43/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.43/drivers/staging/b3dfg/b3dfg.c
37440 --- linux-2.6.32.43/drivers/staging/b3dfg/b3dfg.c 2011-03-27 14:31:47.000000000 -0400
37441 +++ linux-2.6.32.43/drivers/staging/b3dfg/b3dfg.c 2011-04-17 15:56:46.000000000 -0400
37442 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
37443 return VM_FAULT_NOPAGE;
37446 -static struct vm_operations_struct b3dfg_vm_ops = {
37447 +static const struct vm_operations_struct b3dfg_vm_ops = {
37448 .fault = b3dfg_vma_fault,
37451 @@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
37455 -static struct file_operations b3dfg_fops = {
37456 +static const struct file_operations b3dfg_fops = {
37457 .owner = THIS_MODULE,
37458 .open = b3dfg_open,
37459 .release = b3dfg_release,
37460 diff -urNp linux-2.6.32.43/drivers/staging/comedi/comedi_fops.c linux-2.6.32.43/drivers/staging/comedi/comedi_fops.c
37461 --- linux-2.6.32.43/drivers/staging/comedi/comedi_fops.c 2011-03-27 14:31:47.000000000 -0400
37462 +++ linux-2.6.32.43/drivers/staging/comedi/comedi_fops.c 2011-04-17 15:56:46.000000000 -0400
37463 @@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
37464 mutex_unlock(&dev->mutex);
37467 -static struct vm_operations_struct comedi_vm_ops = {
37468 +static const struct vm_operations_struct comedi_vm_ops = {
37469 .close = comedi_unmap,
37472 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.43/drivers/staging/dream/qdsp5/adsp_driver.c
37473 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/adsp_driver.c 2011-03-27 14:31:47.000000000 -0400
37474 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/adsp_driver.c 2011-04-17 15:56:46.000000000 -0400
37475 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
37476 static dev_t adsp_devno;
37477 static struct class *adsp_class;
37479 -static struct file_operations adsp_fops = {
37480 +static const struct file_operations adsp_fops = {
37481 .owner = THIS_MODULE,
37483 .unlocked_ioctl = adsp_ioctl,
37484 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_aac.c
37485 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_aac.c 2011-03-27 14:31:47.000000000 -0400
37486 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_aac.c 2011-04-17 15:56:46.000000000 -0400
37487 @@ -1022,7 +1022,7 @@ done:
37491 -static struct file_operations audio_aac_fops = {
37492 +static const struct file_operations audio_aac_fops = {
37493 .owner = THIS_MODULE,
37494 .open = audio_open,
37495 .release = audio_release,
37496 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_amrnb.c
37497 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-03-27 14:31:47.000000000 -0400
37498 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-04-17 15:56:46.000000000 -0400
37499 @@ -833,7 +833,7 @@ done:
37503 -static struct file_operations audio_amrnb_fops = {
37504 +static const struct file_operations audio_amrnb_fops = {
37505 .owner = THIS_MODULE,
37506 .open = audamrnb_open,
37507 .release = audamrnb_release,
37508 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_evrc.c
37509 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_evrc.c 2011-03-27 14:31:47.000000000 -0400
37510 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_evrc.c 2011-04-17 15:56:46.000000000 -0400
37511 @@ -805,7 +805,7 @@ dma_fail:
37515 -static struct file_operations audio_evrc_fops = {
37516 +static const struct file_operations audio_evrc_fops = {
37517 .owner = THIS_MODULE,
37518 .open = audevrc_open,
37519 .release = audevrc_release,
37520 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_in.c
37521 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_in.c 2011-03-27 14:31:47.000000000 -0400
37522 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_in.c 2011-04-17 15:56:46.000000000 -0400
37523 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
37527 -static struct file_operations audio_fops = {
37528 +static const struct file_operations audio_fops = {
37529 .owner = THIS_MODULE,
37530 .open = audio_in_open,
37531 .release = audio_in_release,
37532 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
37533 .unlocked_ioctl = audio_in_ioctl,
37536 -static struct file_operations audpre_fops = {
37537 +static const struct file_operations audpre_fops = {
37538 .owner = THIS_MODULE,
37539 .open = audpre_open,
37540 .unlocked_ioctl = audpre_ioctl,
37541 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_mp3.c
37542 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_mp3.c 2011-03-27 14:31:47.000000000 -0400
37543 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_mp3.c 2011-04-17 15:56:46.000000000 -0400
37544 @@ -941,7 +941,7 @@ done:
37548 -static struct file_operations audio_mp3_fops = {
37549 +static const struct file_operations audio_mp3_fops = {
37550 .owner = THIS_MODULE,
37551 .open = audio_open,
37552 .release = audio_release,
37553 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_out.c
37554 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_out.c 2011-03-27 14:31:47.000000000 -0400
37555 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_out.c 2011-04-17 15:56:46.000000000 -0400
37556 @@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
37560 -static struct file_operations audio_fops = {
37561 +static const struct file_operations audio_fops = {
37562 .owner = THIS_MODULE,
37563 .open = audio_open,
37564 .release = audio_release,
37565 @@ -819,7 +819,7 @@ static struct file_operations audio_fops
37566 .unlocked_ioctl = audio_ioctl,
37569 -static struct file_operations audpp_fops = {
37570 +static const struct file_operations audpp_fops = {
37571 .owner = THIS_MODULE,
37572 .open = audpp_open,
37573 .unlocked_ioctl = audpp_ioctl,
37574 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_qcelp.c
37575 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-03-27 14:31:47.000000000 -0400
37576 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-04-17 15:56:46.000000000 -0400
37577 @@ -816,7 +816,7 @@ err:
37581 -static struct file_operations audio_qcelp_fops = {
37582 +static const struct file_operations audio_qcelp_fops = {
37583 .owner = THIS_MODULE,
37584 .open = audqcelp_open,
37585 .release = audqcelp_release,
37586 diff -urNp linux-2.6.32.43/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.43/drivers/staging/dream/qdsp5/snd.c
37587 --- linux-2.6.32.43/drivers/staging/dream/qdsp5/snd.c 2011-03-27 14:31:47.000000000 -0400
37588 +++ linux-2.6.32.43/drivers/staging/dream/qdsp5/snd.c 2011-04-17 15:56:46.000000000 -0400
37589 @@ -242,7 +242,7 @@ err:
37593 -static struct file_operations snd_fops = {
37594 +static const struct file_operations snd_fops = {
37595 .owner = THIS_MODULE,
37597 .release = snd_release,
37598 diff -urNp linux-2.6.32.43/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.43/drivers/staging/dream/smd/smd_qmi.c
37599 --- linux-2.6.32.43/drivers/staging/dream/smd/smd_qmi.c 2011-03-27 14:31:47.000000000 -0400
37600 +++ linux-2.6.32.43/drivers/staging/dream/smd/smd_qmi.c 2011-04-17 15:56:46.000000000 -0400
37601 @@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
37605 -static struct file_operations qmi_fops = {
37606 +static const struct file_operations qmi_fops = {
37607 .owner = THIS_MODULE,
37609 .write = qmi_write,
37610 diff -urNp linux-2.6.32.43/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.43/drivers/staging/dream/smd/smd_rpcrouter_device.c
37611 --- linux-2.6.32.43/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-03-27 14:31:47.000000000 -0400
37612 +++ linux-2.6.32.43/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-04-17 15:56:46.000000000 -0400
37613 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
37617 -static struct file_operations rpcrouter_server_fops = {
37618 +static const struct file_operations rpcrouter_server_fops = {
37619 .owner = THIS_MODULE,
37620 .open = rpcrouter_open,
37621 .release = rpcrouter_release,
37622 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
37623 .unlocked_ioctl = rpcrouter_ioctl,
37626 -static struct file_operations rpcrouter_router_fops = {
37627 +static const struct file_operations rpcrouter_router_fops = {
37628 .owner = THIS_MODULE,
37629 .open = rpcrouter_open,
37630 .release = rpcrouter_release,
37631 diff -urNp linux-2.6.32.43/drivers/staging/dst/dcore.c linux-2.6.32.43/drivers/staging/dst/dcore.c
37632 --- linux-2.6.32.43/drivers/staging/dst/dcore.c 2011-03-27 14:31:47.000000000 -0400
37633 +++ linux-2.6.32.43/drivers/staging/dst/dcore.c 2011-04-17 15:56:46.000000000 -0400
37634 @@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
37638 -static struct block_device_operations dst_blk_ops = {
37639 +static const struct block_device_operations dst_blk_ops = {
37640 .open = dst_bdev_open,
37641 .release = dst_bdev_release,
37642 .owner = THIS_MODULE,
37643 @@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
37644 n->size = ctl->size;
37646 atomic_set(&n->refcnt, 1);
37647 - atomic_long_set(&n->gen, 0);
37648 + atomic_long_set_unchecked(&n->gen, 0);
37649 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
37651 err = dst_node_sysfs_init(n);
37652 diff -urNp linux-2.6.32.43/drivers/staging/dst/trans.c linux-2.6.32.43/drivers/staging/dst/trans.c
37653 --- linux-2.6.32.43/drivers/staging/dst/trans.c 2011-03-27 14:31:47.000000000 -0400
37654 +++ linux-2.6.32.43/drivers/staging/dst/trans.c 2011-04-17 15:56:46.000000000 -0400
37655 @@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
37658 atomic_set(&t->refcnt, 1);
37659 - t->gen = atomic_long_inc_return(&n->gen);
37660 + t->gen = atomic_long_inc_return_unchecked(&n->gen);
37662 t->enc = bio_data_dir(bio);
37663 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
37664 diff -urNp linux-2.6.32.43/drivers/staging/et131x/et1310_tx.c linux-2.6.32.43/drivers/staging/et131x/et1310_tx.c
37665 --- linux-2.6.32.43/drivers/staging/et131x/et1310_tx.c 2011-03-27 14:31:47.000000000 -0400
37666 +++ linux-2.6.32.43/drivers/staging/et131x/et1310_tx.c 2011-05-04 17:56:28.000000000 -0400
37667 @@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
37668 struct net_device_stats *stats = &etdev->net_stats;
37670 if (pMpTcb->Flags & fMP_DEST_BROAD)
37671 - atomic_inc(&etdev->Stats.brdcstxmt);
37672 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
37673 else if (pMpTcb->Flags & fMP_DEST_MULTI)
37674 - atomic_inc(&etdev->Stats.multixmt);
37675 + atomic_inc_unchecked(&etdev->Stats.multixmt);
37677 - atomic_inc(&etdev->Stats.unixmt);
37678 + atomic_inc_unchecked(&etdev->Stats.unixmt);
37680 if (pMpTcb->Packet) {
37681 stats->tx_bytes += pMpTcb->Packet->len;
37682 diff -urNp linux-2.6.32.43/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.43/drivers/staging/et131x/et131x_adapter.h
37683 --- linux-2.6.32.43/drivers/staging/et131x/et131x_adapter.h 2011-03-27 14:31:47.000000000 -0400
37684 +++ linux-2.6.32.43/drivers/staging/et131x/et131x_adapter.h 2011-05-04 17:56:28.000000000 -0400
37685 @@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
37688 u32 unircv; /* # multicast packets received */
37689 - atomic_t unixmt; /* # multicast packets for Tx */
37690 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
37691 u32 multircv; /* # multicast packets received */
37692 - atomic_t multixmt; /* # multicast packets for Tx */
37693 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
37694 u32 brdcstrcv; /* # broadcast packets received */
37695 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
37696 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
37697 u32 norcvbuf; /* # Rx packets discarded */
37698 u32 noxmtbuf; /* # Tx packets discarded */
37700 diff -urNp linux-2.6.32.43/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.43/drivers/staging/go7007/go7007-v4l2.c
37701 --- linux-2.6.32.43/drivers/staging/go7007/go7007-v4l2.c 2011-03-27 14:31:47.000000000 -0400
37702 +++ linux-2.6.32.43/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:56:46.000000000 -0400
37703 @@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
37707 -static struct vm_operations_struct go7007_vm_ops = {
37708 +static const struct vm_operations_struct go7007_vm_ops = {
37709 .open = go7007_vm_open,
37710 .close = go7007_vm_close,
37711 .fault = go7007_vm_fault,
37712 diff -urNp linux-2.6.32.43/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.43/drivers/staging/hv/blkvsc_drv.c
37713 --- linux-2.6.32.43/drivers/staging/hv/blkvsc_drv.c 2011-03-27 14:31:47.000000000 -0400
37714 +++ linux-2.6.32.43/drivers/staging/hv/blkvsc_drv.c 2011-04-17 15:56:46.000000000 -0400
37715 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
37716 /* The one and only one */
37717 static struct blkvsc_driver_context g_blkvsc_drv;
37719 -static struct block_device_operations block_ops = {
37720 +static const struct block_device_operations block_ops = {
37721 .owner = THIS_MODULE,
37722 .open = blkvsc_open,
37723 .release = blkvsc_release,
37724 diff -urNp linux-2.6.32.43/drivers/staging/hv/Channel.c linux-2.6.32.43/drivers/staging/hv/Channel.c
37725 --- linux-2.6.32.43/drivers/staging/hv/Channel.c 2011-04-17 17:00:52.000000000 -0400
37726 +++ linux-2.6.32.43/drivers/staging/hv/Channel.c 2011-05-04 17:56:28.000000000 -0400
37727 @@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
37729 DPRINT_ENTER(VMBUS);
37731 - nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
37732 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
37733 + nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
37734 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
37736 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
37737 ASSERT(msgInfo != NULL);
37738 diff -urNp linux-2.6.32.43/drivers/staging/hv/Hv.c linux-2.6.32.43/drivers/staging/hv/Hv.c
37739 --- linux-2.6.32.43/drivers/staging/hv/Hv.c 2011-03-27 14:31:47.000000000 -0400
37740 +++ linux-2.6.32.43/drivers/staging/hv/Hv.c 2011-04-17 15:56:46.000000000 -0400
37741 @@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
37742 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
37743 u32 outputAddressHi = outputAddress >> 32;
37744 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
37745 - volatile void *hypercallPage = gHvContext.HypercallPage;
37746 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
37748 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
37749 Control, Input, Output);
37750 diff -urNp linux-2.6.32.43/drivers/staging/hv/vmbus_drv.c linux-2.6.32.43/drivers/staging/hv/vmbus_drv.c
37751 --- linux-2.6.32.43/drivers/staging/hv/vmbus_drv.c 2011-03-27 14:31:47.000000000 -0400
37752 +++ linux-2.6.32.43/drivers/staging/hv/vmbus_drv.c 2011-05-04 17:56:28.000000000 -0400
37753 @@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
37754 to_device_context(root_device_obj);
37755 struct device_context *child_device_ctx =
37756 to_device_context(child_device_obj);
37757 - static atomic_t device_num = ATOMIC_INIT(0);
37758 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
37760 DPRINT_ENTER(VMBUS_DRV);
37762 @@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
37764 /* Set the device name. Otherwise, device_register() will fail. */
37765 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
37766 - atomic_inc_return(&device_num));
37767 + atomic_inc_return_unchecked(&device_num));
37769 /* The new device belongs to this bus */
37770 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
37771 diff -urNp linux-2.6.32.43/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.43/drivers/staging/hv/VmbusPrivate.h
37772 --- linux-2.6.32.43/drivers/staging/hv/VmbusPrivate.h 2011-04-17 17:00:52.000000000 -0400
37773 +++ linux-2.6.32.43/drivers/staging/hv/VmbusPrivate.h 2011-05-04 17:56:28.000000000 -0400
37774 @@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
37775 struct VMBUS_CONNECTION {
37776 enum VMBUS_CONNECT_STATE ConnectState;
37778 - atomic_t NextGpadlHandle;
37779 + atomic_unchecked_t NextGpadlHandle;
37782 * Represents channel interrupts. Each bit position represents a
37783 diff -urNp linux-2.6.32.43/drivers/staging/octeon/ethernet.c linux-2.6.32.43/drivers/staging/octeon/ethernet.c
37784 --- linux-2.6.32.43/drivers/staging/octeon/ethernet.c 2011-03-27 14:31:47.000000000 -0400
37785 +++ linux-2.6.32.43/drivers/staging/octeon/ethernet.c 2011-05-04 17:56:28.000000000 -0400
37786 @@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
37787 * since the RX tasklet also increments it.
37789 #ifdef CONFIG_64BIT
37790 - atomic64_add(rx_status.dropped_packets,
37791 - (atomic64_t *)&priv->stats.rx_dropped);
37792 + atomic64_add_unchecked(rx_status.dropped_packets,
37793 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
37795 - atomic_add(rx_status.dropped_packets,
37796 - (atomic_t *)&priv->stats.rx_dropped);
37797 + atomic_add_unchecked(rx_status.dropped_packets,
37798 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
37802 diff -urNp linux-2.6.32.43/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.43/drivers/staging/octeon/ethernet-rx.c
37803 --- linux-2.6.32.43/drivers/staging/octeon/ethernet-rx.c 2011-03-27 14:31:47.000000000 -0400
37804 +++ linux-2.6.32.43/drivers/staging/octeon/ethernet-rx.c 2011-05-04 17:56:28.000000000 -0400
37805 @@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
37806 /* Increment RX stats for virtual ports */
37807 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
37808 #ifdef CONFIG_64BIT
37809 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
37810 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
37811 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
37812 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
37814 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
37815 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
37816 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
37817 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
37820 netif_receive_skb(skb);
37821 @@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
37824 #ifdef CONFIG_64BIT
37825 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
37826 + atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
37828 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
37829 + atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
37831 dev_kfree_skb_irq(skb);
37833 diff -urNp linux-2.6.32.43/drivers/staging/panel/panel.c linux-2.6.32.43/drivers/staging/panel/panel.c
37834 --- linux-2.6.32.43/drivers/staging/panel/panel.c 2011-03-27 14:31:47.000000000 -0400
37835 +++ linux-2.6.32.43/drivers/staging/panel/panel.c 2011-04-17 15:56:46.000000000 -0400
37836 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
37840 -static struct file_operations lcd_fops = {
37841 +static const struct file_operations lcd_fops = {
37842 .write = lcd_write,
37844 .release = lcd_release,
37845 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
37849 -static struct file_operations keypad_fops = {
37850 +static const struct file_operations keypad_fops = {
37851 .read = keypad_read, /* read */
37852 .open = keypad_open, /* open */
37853 .release = keypad_release, /* close */
37854 diff -urNp linux-2.6.32.43/drivers/staging/phison/phison.c linux-2.6.32.43/drivers/staging/phison/phison.c
37855 --- linux-2.6.32.43/drivers/staging/phison/phison.c 2011-03-27 14:31:47.000000000 -0400
37856 +++ linux-2.6.32.43/drivers/staging/phison/phison.c 2011-04-17 15:56:46.000000000 -0400
37857 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
37858 ATA_BMDMA_SHT(DRV_NAME),
37861 -static struct ata_port_operations phison_ops = {
37862 +static const struct ata_port_operations phison_ops = {
37863 .inherits = &ata_bmdma_port_ops,
37864 .prereset = phison_pre_reset,
37866 diff -urNp linux-2.6.32.43/drivers/staging/poch/poch.c linux-2.6.32.43/drivers/staging/poch/poch.c
37867 --- linux-2.6.32.43/drivers/staging/poch/poch.c 2011-03-27 14:31:47.000000000 -0400
37868 +++ linux-2.6.32.43/drivers/staging/poch/poch.c 2011-04-17 15:56:46.000000000 -0400
37869 @@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
37873 -static struct file_operations poch_fops = {
37874 +static const struct file_operations poch_fops = {
37875 .owner = THIS_MODULE,
37877 .release = poch_release,
37878 diff -urNp linux-2.6.32.43/drivers/staging/pohmelfs/inode.c linux-2.6.32.43/drivers/staging/pohmelfs/inode.c
37879 --- linux-2.6.32.43/drivers/staging/pohmelfs/inode.c 2011-03-27 14:31:47.000000000 -0400
37880 +++ linux-2.6.32.43/drivers/staging/pohmelfs/inode.c 2011-05-04 17:56:20.000000000 -0400
37881 @@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
37882 mutex_init(&psb->mcache_lock);
37883 psb->mcache_root = RB_ROOT;
37884 psb->mcache_timeout = msecs_to_jiffies(5000);
37885 - atomic_long_set(&psb->mcache_gen, 0);
37886 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
37888 psb->trans_max_pages = 100;
37890 @@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
37891 INIT_LIST_HEAD(&psb->crypto_ready_list);
37892 INIT_LIST_HEAD(&psb->crypto_active_list);
37894 - atomic_set(&psb->trans_gen, 1);
37895 + atomic_set_unchecked(&psb->trans_gen, 1);
37896 atomic_long_set(&psb->total_inodes, 0);
37898 mutex_init(&psb->state_lock);
37899 diff -urNp linux-2.6.32.43/drivers/staging/pohmelfs/mcache.c linux-2.6.32.43/drivers/staging/pohmelfs/mcache.c
37900 --- linux-2.6.32.43/drivers/staging/pohmelfs/mcache.c 2011-03-27 14:31:47.000000000 -0400
37901 +++ linux-2.6.32.43/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:56:46.000000000 -0400
37902 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
37906 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
37907 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
37909 mutex_lock(&psb->mcache_lock);
37910 err = pohmelfs_mcache_insert(psb, m);
37911 diff -urNp linux-2.6.32.43/drivers/staging/pohmelfs/netfs.h linux-2.6.32.43/drivers/staging/pohmelfs/netfs.h
37912 --- linux-2.6.32.43/drivers/staging/pohmelfs/netfs.h 2011-03-27 14:31:47.000000000 -0400
37913 +++ linux-2.6.32.43/drivers/staging/pohmelfs/netfs.h 2011-05-04 17:56:20.000000000 -0400
37914 @@ -570,14 +570,14 @@ struct pohmelfs_config;
37915 struct pohmelfs_sb {
37916 struct rb_root mcache_root;
37917 struct mutex mcache_lock;
37918 - atomic_long_t mcache_gen;
37919 + atomic_long_unchecked_t mcache_gen;
37920 unsigned long mcache_timeout;
37924 unsigned int trans_retries;
37926 - atomic_t trans_gen;
37927 + atomic_unchecked_t trans_gen;
37929 unsigned int crypto_attached_size;
37930 unsigned int crypto_align_size;
37931 diff -urNp linux-2.6.32.43/drivers/staging/pohmelfs/trans.c linux-2.6.32.43/drivers/staging/pohmelfs/trans.c
37932 --- linux-2.6.32.43/drivers/staging/pohmelfs/trans.c 2011-03-27 14:31:47.000000000 -0400
37933 +++ linux-2.6.32.43/drivers/staging/pohmelfs/trans.c 2011-05-04 17:56:28.000000000 -0400
37934 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
37936 struct netfs_cmd *cmd = t->iovec.iov_base;
37938 - t->gen = atomic_inc_return(&psb->trans_gen);
37939 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
37941 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
37942 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
37943 diff -urNp linux-2.6.32.43/drivers/staging/sep/sep_driver.c linux-2.6.32.43/drivers/staging/sep/sep_driver.c
37944 --- linux-2.6.32.43/drivers/staging/sep/sep_driver.c 2011-03-27 14:31:47.000000000 -0400
37945 +++ linux-2.6.32.43/drivers/staging/sep/sep_driver.c 2011-04-17 15:56:46.000000000 -0400
37946 @@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
37947 static dev_t sep_devno;
37949 /* the files operations structure of the driver */
37950 -static struct file_operations sep_file_operations = {
37951 +static const struct file_operations sep_file_operations = {
37952 .owner = THIS_MODULE,
37953 .ioctl = sep_ioctl,
37955 diff -urNp linux-2.6.32.43/drivers/staging/usbip/vhci.h linux-2.6.32.43/drivers/staging/usbip/vhci.h
37956 --- linux-2.6.32.43/drivers/staging/usbip/vhci.h 2011-03-27 14:31:47.000000000 -0400
37957 +++ linux-2.6.32.43/drivers/staging/usbip/vhci.h 2011-05-04 17:56:28.000000000 -0400
37958 @@ -92,7 +92,7 @@ struct vhci_hcd {
37959 unsigned resuming:1;
37960 unsigned long re_timeout;
37963 + atomic_unchecked_t seqnum;
37967 diff -urNp linux-2.6.32.43/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.43/drivers/staging/usbip/vhci_hcd.c
37968 --- linux-2.6.32.43/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:01.000000000 -0400
37969 +++ linux-2.6.32.43/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:33.000000000 -0400
37970 @@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
37974 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
37975 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
37976 if (priv->seqnum == 0xffff)
37977 usbip_uinfo("seqnum max\n");
37979 @@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
37983 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
37984 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
37985 if (unlink->seqnum == 0xffff)
37986 usbip_uinfo("seqnum max\n");
37988 @@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
37989 vdev->rhport = rhport;
37992 - atomic_set(&vhci->seqnum, 0);
37993 + atomic_set_unchecked(&vhci->seqnum, 0);
37994 spin_lock_init(&vhci->lock);
37997 diff -urNp linux-2.6.32.43/drivers/staging/usbip/vhci_rx.c linux-2.6.32.43/drivers/staging/usbip/vhci_rx.c
37998 --- linux-2.6.32.43/drivers/staging/usbip/vhci_rx.c 2011-04-17 17:00:52.000000000 -0400
37999 +++ linux-2.6.32.43/drivers/staging/usbip/vhci_rx.c 2011-05-04 17:56:28.000000000 -0400
38000 @@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
38001 usbip_uerr("cannot find a urb of seqnum %u\n",
38003 usbip_uinfo("max seqnum %d\n",
38004 - atomic_read(&the_controller->seqnum));
38005 + atomic_read_unchecked(&the_controller->seqnum));
38006 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
38009 diff -urNp linux-2.6.32.43/drivers/staging/vme/devices/vme_user.c linux-2.6.32.43/drivers/staging/vme/devices/vme_user.c
38010 --- linux-2.6.32.43/drivers/staging/vme/devices/vme_user.c 2011-03-27 14:31:47.000000000 -0400
38011 +++ linux-2.6.32.43/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:56:46.000000000 -0400
38012 @@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
38013 static int __init vme_user_probe(struct device *, int, int);
38014 static int __exit vme_user_remove(struct device *, int, int);
38016 -static struct file_operations vme_user_fops = {
38017 +static const struct file_operations vme_user_fops = {
38018 .open = vme_user_open,
38019 .release = vme_user_release,
38020 .read = vme_user_read,
38021 diff -urNp linux-2.6.32.43/drivers/telephony/ixj.c linux-2.6.32.43/drivers/telephony/ixj.c
38022 --- linux-2.6.32.43/drivers/telephony/ixj.c 2011-03-27 14:31:47.000000000 -0400
38023 +++ linux-2.6.32.43/drivers/telephony/ixj.c 2011-05-16 21:46:57.000000000 -0400
38024 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
38028 + pax_track_stack();
38030 if (!SCI_Prepare(j))
38033 diff -urNp linux-2.6.32.43/drivers/uio/uio.c linux-2.6.32.43/drivers/uio/uio.c
38034 --- linux-2.6.32.43/drivers/uio/uio.c 2011-03-27 14:31:47.000000000 -0400
38035 +++ linux-2.6.32.43/drivers/uio/uio.c 2011-05-04 17:56:20.000000000 -0400
38037 #include <linux/string.h>
38038 #include <linux/kobject.h>
38039 #include <linux/uio_driver.h>
38040 +#include <asm/local.h>
38042 #define UIO_MAX_DEVICES 255
38044 @@ -30,10 +31,10 @@ struct uio_device {
38045 struct module *owner;
38046 struct device *dev;
38049 + atomic_unchecked_t event;
38050 struct fasync_struct *async_queue;
38051 wait_queue_head_t wait;
38053 + local_t vma_count;
38054 struct uio_info *info;
38055 struct kobject *map_dir;
38056 struct kobject *portio_dir;
38057 @@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
38058 return entry->show(mem, buf);
38061 -static struct sysfs_ops map_sysfs_ops = {
38062 +static const struct sysfs_ops map_sysfs_ops = {
38063 .show = map_type_show,
38066 @@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
38067 return entry->show(port, buf);
38070 -static struct sysfs_ops portio_sysfs_ops = {
38071 +static const struct sysfs_ops portio_sysfs_ops = {
38072 .show = portio_type_show,
38075 @@ -255,7 +256,7 @@ static ssize_t show_event(struct device
38076 struct uio_device *idev = dev_get_drvdata(dev);
38078 return sprintf(buf, "%u\n",
38079 - (unsigned int)atomic_read(&idev->event));
38080 + (unsigned int)atomic_read_unchecked(&idev->event));
38084 @@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
38086 struct uio_device *idev = info->uio_dev;
38088 - atomic_inc(&idev->event);
38089 + atomic_inc_unchecked(&idev->event);
38090 wake_up_interruptible(&idev->wait);
38091 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
38093 @@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
38096 listener->dev = idev;
38097 - listener->event_count = atomic_read(&idev->event);
38098 + listener->event_count = atomic_read_unchecked(&idev->event);
38099 filep->private_data = listener;
38101 if (idev->info->open) {
38102 @@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
38105 poll_wait(filep, &idev->wait, wait);
38106 - if (listener->event_count != atomic_read(&idev->event))
38107 + if (listener->event_count != atomic_read_unchecked(&idev->event))
38108 return POLLIN | POLLRDNORM;
38111 @@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
38113 set_current_state(TASK_INTERRUPTIBLE);
38115 - event_count = atomic_read(&idev->event);
38116 + event_count = atomic_read_unchecked(&idev->event);
38117 if (event_count != listener->event_count) {
38118 if (copy_to_user(buf, &event_count, count))
38120 @@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
38121 static void uio_vma_open(struct vm_area_struct *vma)
38123 struct uio_device *idev = vma->vm_private_data;
38124 - idev->vma_count++;
38125 + local_inc(&idev->vma_count);
38128 static void uio_vma_close(struct vm_area_struct *vma)
38130 struct uio_device *idev = vma->vm_private_data;
38131 - idev->vma_count--;
38132 + local_dec(&idev->vma_count);
38135 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
38136 @@ -840,7 +841,7 @@ int __uio_register_device(struct module
38137 idev->owner = owner;
38139 init_waitqueue_head(&idev->wait);
38140 - atomic_set(&idev->event, 0);
38141 + atomic_set_unchecked(&idev->event, 0);
38143 ret = uio_get_minor(idev);
38145 diff -urNp linux-2.6.32.43/drivers/usb/atm/usbatm.c linux-2.6.32.43/drivers/usb/atm/usbatm.c
38146 --- linux-2.6.32.43/drivers/usb/atm/usbatm.c 2011-03-27 14:31:47.000000000 -0400
38147 +++ linux-2.6.32.43/drivers/usb/atm/usbatm.c 2011-04-17 15:56:46.000000000 -0400
38148 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
38149 if (printk_ratelimit())
38150 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
38151 __func__, vpi, vci);
38152 - atomic_inc(&vcc->stats->rx_err);
38153 + atomic_inc_unchecked(&vcc->stats->rx_err);
38157 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
38158 if (length > ATM_MAX_AAL5_PDU) {
38159 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
38160 __func__, length, vcc);
38161 - atomic_inc(&vcc->stats->rx_err);
38162 + atomic_inc_unchecked(&vcc->stats->rx_err);
38166 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
38167 if (sarb->len < pdu_length) {
38168 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
38169 __func__, pdu_length, sarb->len, vcc);
38170 - atomic_inc(&vcc->stats->rx_err);
38171 + atomic_inc_unchecked(&vcc->stats->rx_err);
38175 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
38176 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
38178 - atomic_inc(&vcc->stats->rx_err);
38179 + atomic_inc_unchecked(&vcc->stats->rx_err);
38183 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
38184 if (printk_ratelimit())
38185 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
38187 - atomic_inc(&vcc->stats->rx_drop);
38188 + atomic_inc_unchecked(&vcc->stats->rx_drop);
38192 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
38194 vcc->push(vcc, skb);
38196 - atomic_inc(&vcc->stats->rx);
38197 + atomic_inc_unchecked(&vcc->stats->rx);
38201 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
38202 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
38204 usbatm_pop(vcc, skb);
38205 - atomic_inc(&vcc->stats->tx);
38206 + atomic_inc_unchecked(&vcc->stats->tx);
38208 skb = skb_dequeue(&instance->sndqueue);
38210 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
38212 return sprintf(page,
38213 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
38214 - atomic_read(&atm_dev->stats.aal5.tx),
38215 - atomic_read(&atm_dev->stats.aal5.tx_err),
38216 - atomic_read(&atm_dev->stats.aal5.rx),
38217 - atomic_read(&atm_dev->stats.aal5.rx_err),
38218 - atomic_read(&atm_dev->stats.aal5.rx_drop));
38219 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
38220 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
38221 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
38222 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
38223 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
38226 if (instance->disconnected)
38227 diff -urNp linux-2.6.32.43/drivers/usb/class/cdc-wdm.c linux-2.6.32.43/drivers/usb/class/cdc-wdm.c
38228 --- linux-2.6.32.43/drivers/usb/class/cdc-wdm.c 2011-03-27 14:31:47.000000000 -0400
38229 +++ linux-2.6.32.43/drivers/usb/class/cdc-wdm.c 2011-04-17 15:56:46.000000000 -0400
38230 @@ -314,7 +314,7 @@ static ssize_t wdm_write
38234 - if (!file->f_flags && O_NONBLOCK)
38235 + if (!(file->f_flags & O_NONBLOCK))
38236 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
38239 diff -urNp linux-2.6.32.43/drivers/usb/core/hcd.c linux-2.6.32.43/drivers/usb/core/hcd.c
38240 --- linux-2.6.32.43/drivers/usb/core/hcd.c 2011-03-27 14:31:47.000000000 -0400
38241 +++ linux-2.6.32.43/drivers/usb/core/hcd.c 2011-04-17 15:56:46.000000000 -0400
38242 @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
38244 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
38246 -struct usb_mon_operations *mon_ops;
38247 +const struct usb_mon_operations *mon_ops;
38250 * The registration is unlocked.
38251 @@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
38252 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
38255 -int usb_mon_register (struct usb_mon_operations *ops)
38256 +int usb_mon_register (const struct usb_mon_operations *ops)
38260 diff -urNp linux-2.6.32.43/drivers/usb/core/hcd.h linux-2.6.32.43/drivers/usb/core/hcd.h
38261 --- linux-2.6.32.43/drivers/usb/core/hcd.h 2011-03-27 14:31:47.000000000 -0400
38262 +++ linux-2.6.32.43/drivers/usb/core/hcd.h 2011-04-17 15:56:46.000000000 -0400
38263 @@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
38264 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
38266 struct usb_mon_operations {
38267 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
38268 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
38269 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
38270 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
38271 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
38272 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
38273 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
38276 -extern struct usb_mon_operations *mon_ops;
38277 +extern const struct usb_mon_operations *mon_ops;
38279 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
38281 @@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
38282 (*mon_ops->urb_complete)(bus, urb, status);
38285 -int usb_mon_register(struct usb_mon_operations *ops);
38286 +int usb_mon_register(const struct usb_mon_operations *ops);
38287 void usb_mon_deregister(void);
38290 diff -urNp linux-2.6.32.43/drivers/usb/core/message.c linux-2.6.32.43/drivers/usb/core/message.c
38291 --- linux-2.6.32.43/drivers/usb/core/message.c 2011-03-27 14:31:47.000000000 -0400
38292 +++ linux-2.6.32.43/drivers/usb/core/message.c 2011-04-17 15:56:46.000000000 -0400
38293 @@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
38294 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
38296 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
38298 - smallbuf = kmalloc(++len, GFP_NOIO);
38300 + smallbuf = kmalloc(len, GFP_NOIO);
38303 memcpy(smallbuf, buf, len);
38304 diff -urNp linux-2.6.32.43/drivers/usb/misc/appledisplay.c linux-2.6.32.43/drivers/usb/misc/appledisplay.c
38305 --- linux-2.6.32.43/drivers/usb/misc/appledisplay.c 2011-03-27 14:31:47.000000000 -0400
38306 +++ linux-2.6.32.43/drivers/usb/misc/appledisplay.c 2011-04-17 15:56:46.000000000 -0400
38307 @@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
38308 return pdata->msgdata[1];
38311 -static struct backlight_ops appledisplay_bl_data = {
38312 +static const struct backlight_ops appledisplay_bl_data = {
38313 .get_brightness = appledisplay_bl_get_brightness,
38314 .update_status = appledisplay_bl_update_status,
38316 diff -urNp linux-2.6.32.43/drivers/usb/mon/mon_main.c linux-2.6.32.43/drivers/usb/mon/mon_main.c
38317 --- linux-2.6.32.43/drivers/usb/mon/mon_main.c 2011-03-27 14:31:47.000000000 -0400
38318 +++ linux-2.6.32.43/drivers/usb/mon/mon_main.c 2011-04-17 15:56:46.000000000 -0400
38319 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
38323 -static struct usb_mon_operations mon_ops_0 = {
38324 +static const struct usb_mon_operations mon_ops_0 = {
38325 .urb_submit = mon_submit,
38326 .urb_submit_error = mon_submit_error,
38327 .urb_complete = mon_complete,
38328 diff -urNp linux-2.6.32.43/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.43/drivers/usb/wusbcore/wa-hc.h
38329 --- linux-2.6.32.43/drivers/usb/wusbcore/wa-hc.h 2011-03-27 14:31:47.000000000 -0400
38330 +++ linux-2.6.32.43/drivers/usb/wusbcore/wa-hc.h 2011-05-04 17:56:28.000000000 -0400
38331 @@ -192,7 +192,7 @@ struct wahc {
38332 struct list_head xfer_delayed_list;
38333 spinlock_t xfer_list_lock;
38334 struct work_struct xfer_work;
38335 - atomic_t xfer_id_count;
38336 + atomic_unchecked_t xfer_id_count;
38340 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
38341 INIT_LIST_HEAD(&wa->xfer_delayed_list);
38342 spin_lock_init(&wa->xfer_list_lock);
38343 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
38344 - atomic_set(&wa->xfer_id_count, 1);
38345 + atomic_set_unchecked(&wa->xfer_id_count, 1);
38349 diff -urNp linux-2.6.32.43/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.43/drivers/usb/wusbcore/wa-xfer.c
38350 --- linux-2.6.32.43/drivers/usb/wusbcore/wa-xfer.c 2011-03-27 14:31:47.000000000 -0400
38351 +++ linux-2.6.32.43/drivers/usb/wusbcore/wa-xfer.c 2011-05-04 17:56:28.000000000 -0400
38352 @@ -293,7 +293,7 @@ out:
38354 static void wa_xfer_id_init(struct wa_xfer *xfer)
38356 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
38357 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
38361 diff -urNp linux-2.6.32.43/drivers/uwb/wlp/messages.c linux-2.6.32.43/drivers/uwb/wlp/messages.c
38362 --- linux-2.6.32.43/drivers/uwb/wlp/messages.c 2011-03-27 14:31:47.000000000 -0400
38363 +++ linux-2.6.32.43/drivers/uwb/wlp/messages.c 2011-04-17 15:56:46.000000000 -0400
38364 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
38365 size_t len = skb->len;
38368 - struct wlp_nonce enonce, rnonce;
38369 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
38370 enum wlp_assc_error assc_err;
38371 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
38372 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
38373 diff -urNp linux-2.6.32.43/drivers/uwb/wlp/sysfs.c linux-2.6.32.43/drivers/uwb/wlp/sysfs.c
38374 --- linux-2.6.32.43/drivers/uwb/wlp/sysfs.c 2011-03-27 14:31:47.000000000 -0400
38375 +++ linux-2.6.32.43/drivers/uwb/wlp/sysfs.c 2011-04-17 15:56:46.000000000 -0400
38376 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
38381 -struct sysfs_ops wss_sysfs_ops = {
38382 +static const struct sysfs_ops wss_sysfs_ops = {
38383 .show = wlp_wss_attr_show,
38384 .store = wlp_wss_attr_store,
38386 diff -urNp linux-2.6.32.43/drivers/video/atmel_lcdfb.c linux-2.6.32.43/drivers/video/atmel_lcdfb.c
38387 --- linux-2.6.32.43/drivers/video/atmel_lcdfb.c 2011-03-27 14:31:47.000000000 -0400
38388 +++ linux-2.6.32.43/drivers/video/atmel_lcdfb.c 2011-04-17 15:56:46.000000000 -0400
38389 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
38390 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
38393 -static struct backlight_ops atmel_lcdc_bl_ops = {
38394 +static const struct backlight_ops atmel_lcdc_bl_ops = {
38395 .update_status = atmel_bl_update_status,
38396 .get_brightness = atmel_bl_get_brightness,
38398 diff -urNp linux-2.6.32.43/drivers/video/aty/aty128fb.c linux-2.6.32.43/drivers/video/aty/aty128fb.c
38399 --- linux-2.6.32.43/drivers/video/aty/aty128fb.c 2011-03-27 14:31:47.000000000 -0400
38400 +++ linux-2.6.32.43/drivers/video/aty/aty128fb.c 2011-04-17 15:56:46.000000000 -0400
38401 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
38402 return bd->props.brightness;
38405 -static struct backlight_ops aty128_bl_data = {
38406 +static const struct backlight_ops aty128_bl_data = {
38407 .get_brightness = aty128_bl_get_brightness,
38408 .update_status = aty128_bl_update_status,
38410 diff -urNp linux-2.6.32.43/drivers/video/aty/atyfb_base.c linux-2.6.32.43/drivers/video/aty/atyfb_base.c
38411 --- linux-2.6.32.43/drivers/video/aty/atyfb_base.c 2011-03-27 14:31:47.000000000 -0400
38412 +++ linux-2.6.32.43/drivers/video/aty/atyfb_base.c 2011-04-17 15:56:46.000000000 -0400
38413 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
38414 return bd->props.brightness;
38417 -static struct backlight_ops aty_bl_data = {
38418 +static const struct backlight_ops aty_bl_data = {
38419 .get_brightness = aty_bl_get_brightness,
38420 .update_status = aty_bl_update_status,
38422 diff -urNp linux-2.6.32.43/drivers/video/aty/radeon_backlight.c linux-2.6.32.43/drivers/video/aty/radeon_backlight.c
38423 --- linux-2.6.32.43/drivers/video/aty/radeon_backlight.c 2011-03-27 14:31:47.000000000 -0400
38424 +++ linux-2.6.32.43/drivers/video/aty/radeon_backlight.c 2011-04-17 15:56:46.000000000 -0400
38425 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
38426 return bd->props.brightness;
38429 -static struct backlight_ops radeon_bl_data = {
38430 +static const struct backlight_ops radeon_bl_data = {
38431 .get_brightness = radeon_bl_get_brightness,
38432 .update_status = radeon_bl_update_status,
38434 diff -urNp linux-2.6.32.43/drivers/video/backlight/adp5520_bl.c linux-2.6.32.43/drivers/video/backlight/adp5520_bl.c
38435 --- linux-2.6.32.43/drivers/video/backlight/adp5520_bl.c 2011-03-27 14:31:47.000000000 -0400
38436 +++ linux-2.6.32.43/drivers/video/backlight/adp5520_bl.c 2011-04-17 15:56:46.000000000 -0400
38437 @@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
38438 return error ? data->current_brightness : reg_val;
38441 -static struct backlight_ops adp5520_bl_ops = {
38442 +static const struct backlight_ops adp5520_bl_ops = {
38443 .update_status = adp5520_bl_update_status,
38444 .get_brightness = adp5520_bl_get_brightness,
38446 diff -urNp linux-2.6.32.43/drivers/video/backlight/adx_bl.c linux-2.6.32.43/drivers/video/backlight/adx_bl.c
38447 --- linux-2.6.32.43/drivers/video/backlight/adx_bl.c 2011-03-27 14:31:47.000000000 -0400
38448 +++ linux-2.6.32.43/drivers/video/backlight/adx_bl.c 2011-04-17 15:56:46.000000000 -0400
38449 @@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
38453 -static struct backlight_ops adx_backlight_ops = {
38454 +static const struct backlight_ops adx_backlight_ops = {
38456 .update_status = adx_backlight_update_status,
38457 .get_brightness = adx_backlight_get_brightness,
38458 diff -urNp linux-2.6.32.43/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.43/drivers/video/backlight/atmel-pwm-bl.c
38459 --- linux-2.6.32.43/drivers/video/backlight/atmel-pwm-bl.c 2011-03-27 14:31:47.000000000 -0400
38460 +++ linux-2.6.32.43/drivers/video/backlight/atmel-pwm-bl.c 2011-04-17 15:56:46.000000000 -0400
38461 @@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
38462 return pwm_channel_enable(&pwmbl->pwmc);
38465 -static struct backlight_ops atmel_pwm_bl_ops = {
38466 +static const struct backlight_ops atmel_pwm_bl_ops = {
38467 .get_brightness = atmel_pwm_bl_get_intensity,
38468 .update_status = atmel_pwm_bl_set_intensity,
38470 diff -urNp linux-2.6.32.43/drivers/video/backlight/backlight.c linux-2.6.32.43/drivers/video/backlight/backlight.c
38471 --- linux-2.6.32.43/drivers/video/backlight/backlight.c 2011-03-27 14:31:47.000000000 -0400
38472 +++ linux-2.6.32.43/drivers/video/backlight/backlight.c 2011-04-17 15:56:46.000000000 -0400
38473 @@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
38474 * ERR_PTR() or a pointer to the newly allocated device.
38476 struct backlight_device *backlight_device_register(const char *name,
38477 - struct device *parent, void *devdata, struct backlight_ops *ops)
38478 + struct device *parent, void *devdata, const struct backlight_ops *ops)
38480 struct backlight_device *new_bd;
38482 diff -urNp linux-2.6.32.43/drivers/video/backlight/corgi_lcd.c linux-2.6.32.43/drivers/video/backlight/corgi_lcd.c
38483 --- linux-2.6.32.43/drivers/video/backlight/corgi_lcd.c 2011-03-27 14:31:47.000000000 -0400
38484 +++ linux-2.6.32.43/drivers/video/backlight/corgi_lcd.c 2011-04-17 15:56:46.000000000 -0400
38485 @@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
38487 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
38489 -static struct backlight_ops corgi_bl_ops = {
38490 +static const struct backlight_ops corgi_bl_ops = {
38491 .get_brightness = corgi_bl_get_intensity,
38492 .update_status = corgi_bl_update_status,
38494 diff -urNp linux-2.6.32.43/drivers/video/backlight/cr_bllcd.c linux-2.6.32.43/drivers/video/backlight/cr_bllcd.c
38495 --- linux-2.6.32.43/drivers/video/backlight/cr_bllcd.c 2011-03-27 14:31:47.000000000 -0400
38496 +++ linux-2.6.32.43/drivers/video/backlight/cr_bllcd.c 2011-04-17 15:56:46.000000000 -0400
38497 @@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
38501 -static struct backlight_ops cr_backlight_ops = {
38502 +static const struct backlight_ops cr_backlight_ops = {
38503 .get_brightness = cr_backlight_get_intensity,
38504 .update_status = cr_backlight_set_intensity,
38506 diff -urNp linux-2.6.32.43/drivers/video/backlight/da903x_bl.c linux-2.6.32.43/drivers/video/backlight/da903x_bl.c
38507 --- linux-2.6.32.43/drivers/video/backlight/da903x_bl.c 2011-03-27 14:31:47.000000000 -0400
38508 +++ linux-2.6.32.43/drivers/video/backlight/da903x_bl.c 2011-04-17 15:56:46.000000000 -0400
38509 @@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
38510 return data->current_brightness;
38513 -static struct backlight_ops da903x_backlight_ops = {
38514 +static const struct backlight_ops da903x_backlight_ops = {
38515 .update_status = da903x_backlight_update_status,
38516 .get_brightness = da903x_backlight_get_brightness,
38518 diff -urNp linux-2.6.32.43/drivers/video/backlight/generic_bl.c linux-2.6.32.43/drivers/video/backlight/generic_bl.c
38519 --- linux-2.6.32.43/drivers/video/backlight/generic_bl.c 2011-03-27 14:31:47.000000000 -0400
38520 +++ linux-2.6.32.43/drivers/video/backlight/generic_bl.c 2011-04-17 15:56:46.000000000 -0400
38521 @@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
38523 EXPORT_SYMBOL(corgibl_limit_intensity);
38525 -static struct backlight_ops genericbl_ops = {
38526 +static const struct backlight_ops genericbl_ops = {
38527 .options = BL_CORE_SUSPENDRESUME,
38528 .get_brightness = genericbl_get_intensity,
38529 .update_status = genericbl_send_intensity,
38530 diff -urNp linux-2.6.32.43/drivers/video/backlight/hp680_bl.c linux-2.6.32.43/drivers/video/backlight/hp680_bl.c
38531 --- linux-2.6.32.43/drivers/video/backlight/hp680_bl.c 2011-03-27 14:31:47.000000000 -0400
38532 +++ linux-2.6.32.43/drivers/video/backlight/hp680_bl.c 2011-04-17 15:56:46.000000000 -0400
38533 @@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
38534 return current_intensity;
38537 -static struct backlight_ops hp680bl_ops = {
38538 +static const struct backlight_ops hp680bl_ops = {
38539 .get_brightness = hp680bl_get_intensity,
38540 .update_status = hp680bl_set_intensity,
38542 diff -urNp linux-2.6.32.43/drivers/video/backlight/jornada720_bl.c linux-2.6.32.43/drivers/video/backlight/jornada720_bl.c
38543 --- linux-2.6.32.43/drivers/video/backlight/jornada720_bl.c 2011-03-27 14:31:47.000000000 -0400
38544 +++ linux-2.6.32.43/drivers/video/backlight/jornada720_bl.c 2011-04-17 15:56:46.000000000 -0400
38545 @@ -93,7 +93,7 @@ out:
38549 -static struct backlight_ops jornada_bl_ops = {
38550 +static const struct backlight_ops jornada_bl_ops = {
38551 .get_brightness = jornada_bl_get_brightness,
38552 .update_status = jornada_bl_update_status,
38553 .options = BL_CORE_SUSPENDRESUME,
38554 diff -urNp linux-2.6.32.43/drivers/video/backlight/kb3886_bl.c linux-2.6.32.43/drivers/video/backlight/kb3886_bl.c
38555 --- linux-2.6.32.43/drivers/video/backlight/kb3886_bl.c 2011-03-27 14:31:47.000000000 -0400
38556 +++ linux-2.6.32.43/drivers/video/backlight/kb3886_bl.c 2011-04-17 15:56:46.000000000 -0400
38557 @@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
38558 return kb3886bl_intensity;
38561 -static struct backlight_ops kb3886bl_ops = {
38562 +static const struct backlight_ops kb3886bl_ops = {
38563 .get_brightness = kb3886bl_get_intensity,
38564 .update_status = kb3886bl_send_intensity,
38566 diff -urNp linux-2.6.32.43/drivers/video/backlight/locomolcd.c linux-2.6.32.43/drivers/video/backlight/locomolcd.c
38567 --- linux-2.6.32.43/drivers/video/backlight/locomolcd.c 2011-03-27 14:31:47.000000000 -0400
38568 +++ linux-2.6.32.43/drivers/video/backlight/locomolcd.c 2011-04-17 15:56:46.000000000 -0400
38569 @@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
38570 return current_intensity;
38573 -static struct backlight_ops locomobl_data = {
38574 +static const struct backlight_ops locomobl_data = {
38575 .get_brightness = locomolcd_get_intensity,
38576 .update_status = locomolcd_set_intensity,
38578 diff -urNp linux-2.6.32.43/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.43/drivers/video/backlight/mbp_nvidia_bl.c
38579 --- linux-2.6.32.43/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:01.000000000 -0400
38580 +++ linux-2.6.32.43/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:33.000000000 -0400
38581 @@ -33,7 +33,7 @@ struct dmi_match_data {
38582 unsigned long iostart;
38583 unsigned long iolen;
38584 /* Backlight operations structure. */
38585 - struct backlight_ops backlight_ops;
38586 + const struct backlight_ops backlight_ops;
38589 /* Module parameters. */
38590 diff -urNp linux-2.6.32.43/drivers/video/backlight/omap1_bl.c linux-2.6.32.43/drivers/video/backlight/omap1_bl.c
38591 --- linux-2.6.32.43/drivers/video/backlight/omap1_bl.c 2011-03-27 14:31:47.000000000 -0400
38592 +++ linux-2.6.32.43/drivers/video/backlight/omap1_bl.c 2011-04-17 15:56:46.000000000 -0400
38593 @@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
38594 return bl->current_intensity;
38597 -static struct backlight_ops omapbl_ops = {
38598 +static const struct backlight_ops omapbl_ops = {
38599 .get_brightness = omapbl_get_intensity,
38600 .update_status = omapbl_update_status,
38602 diff -urNp linux-2.6.32.43/drivers/video/backlight/progear_bl.c linux-2.6.32.43/drivers/video/backlight/progear_bl.c
38603 --- linux-2.6.32.43/drivers/video/backlight/progear_bl.c 2011-03-27 14:31:47.000000000 -0400
38604 +++ linux-2.6.32.43/drivers/video/backlight/progear_bl.c 2011-04-17 15:56:46.000000000 -0400
38605 @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
38606 return intensity - HW_LEVEL_MIN;
38609 -static struct backlight_ops progearbl_ops = {
38610 +static const struct backlight_ops progearbl_ops = {
38611 .get_brightness = progearbl_get_intensity,
38612 .update_status = progearbl_set_intensity,
38614 diff -urNp linux-2.6.32.43/drivers/video/backlight/pwm_bl.c linux-2.6.32.43/drivers/video/backlight/pwm_bl.c
38615 --- linux-2.6.32.43/drivers/video/backlight/pwm_bl.c 2011-03-27 14:31:47.000000000 -0400
38616 +++ linux-2.6.32.43/drivers/video/backlight/pwm_bl.c 2011-04-17 15:56:46.000000000 -0400
38617 @@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
38618 return bl->props.brightness;
38621 -static struct backlight_ops pwm_backlight_ops = {
38622 +static const struct backlight_ops pwm_backlight_ops = {
38623 .update_status = pwm_backlight_update_status,
38624 .get_brightness = pwm_backlight_get_brightness,
38626 diff -urNp linux-2.6.32.43/drivers/video/backlight/tosa_bl.c linux-2.6.32.43/drivers/video/backlight/tosa_bl.c
38627 --- linux-2.6.32.43/drivers/video/backlight/tosa_bl.c 2011-03-27 14:31:47.000000000 -0400
38628 +++ linux-2.6.32.43/drivers/video/backlight/tosa_bl.c 2011-04-17 15:56:46.000000000 -0400
38629 @@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
38630 return props->brightness;
38633 -static struct backlight_ops bl_ops = {
38634 +static const struct backlight_ops bl_ops = {
38635 .get_brightness = tosa_bl_get_brightness,
38636 .update_status = tosa_bl_update_status,
38638 diff -urNp linux-2.6.32.43/drivers/video/backlight/wm831x_bl.c linux-2.6.32.43/drivers/video/backlight/wm831x_bl.c
38639 --- linux-2.6.32.43/drivers/video/backlight/wm831x_bl.c 2011-03-27 14:31:47.000000000 -0400
38640 +++ linux-2.6.32.43/drivers/video/backlight/wm831x_bl.c 2011-04-17 15:56:46.000000000 -0400
38641 @@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
38642 return data->current_brightness;
38645 -static struct backlight_ops wm831x_backlight_ops = {
38646 +static const struct backlight_ops wm831x_backlight_ops = {
38647 .options = BL_CORE_SUSPENDRESUME,
38648 .update_status = wm831x_backlight_update_status,
38649 .get_brightness = wm831x_backlight_get_brightness,
38650 diff -urNp linux-2.6.32.43/drivers/video/bf54x-lq043fb.c linux-2.6.32.43/drivers/video/bf54x-lq043fb.c
38651 --- linux-2.6.32.43/drivers/video/bf54x-lq043fb.c 2011-03-27 14:31:47.000000000 -0400
38652 +++ linux-2.6.32.43/drivers/video/bf54x-lq043fb.c 2011-04-17 15:56:46.000000000 -0400
38653 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
38657 -static struct backlight_ops bfin_lq043fb_bl_ops = {
38658 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
38659 .get_brightness = bl_get_brightness,
38662 diff -urNp linux-2.6.32.43/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.43/drivers/video/bfin-t350mcqb-fb.c
38663 --- linux-2.6.32.43/drivers/video/bfin-t350mcqb-fb.c 2011-03-27 14:31:47.000000000 -0400
38664 +++ linux-2.6.32.43/drivers/video/bfin-t350mcqb-fb.c 2011-04-17 15:56:46.000000000 -0400
38665 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
38669 -static struct backlight_ops bfin_lq043fb_bl_ops = {
38670 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
38671 .get_brightness = bl_get_brightness,
38674 diff -urNp linux-2.6.32.43/drivers/video/fbcmap.c linux-2.6.32.43/drivers/video/fbcmap.c
38675 --- linux-2.6.32.43/drivers/video/fbcmap.c 2011-03-27 14:31:47.000000000 -0400
38676 +++ linux-2.6.32.43/drivers/video/fbcmap.c 2011-04-17 15:56:46.000000000 -0400
38677 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
38681 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
38682 - !info->fbops->fb_setcmap)) {
38683 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
38687 diff -urNp linux-2.6.32.43/drivers/video/fbmem.c linux-2.6.32.43/drivers/video/fbmem.c
38688 --- linux-2.6.32.43/drivers/video/fbmem.c 2011-03-27 14:31:47.000000000 -0400
38689 +++ linux-2.6.32.43/drivers/video/fbmem.c 2011-05-16 21:46:57.000000000 -0400
38690 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
38691 image->dx += image->width + 8;
38693 } else if (rotate == FB_ROTATE_UD) {
38694 - for (x = 0; x < num && image->dx >= 0; x++) {
38695 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
38696 info->fbops->fb_imageblit(info, image);
38697 image->dx -= image->width + 8;
38699 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
38700 image->dy += image->height + 8;
38702 } else if (rotate == FB_ROTATE_CCW) {
38703 - for (x = 0; x < num && image->dy >= 0; x++) {
38704 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
38705 info->fbops->fb_imageblit(info, image);
38706 image->dy -= image->height + 8;
38708 @@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
38709 int flags = info->flags;
38712 + pax_track_stack();
38714 if (var->activate & FB_ACTIVATE_INV_MODE) {
38715 struct fb_videomode mode1, mode2;
38717 @@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
38718 void __user *argp = (void __user *)arg;
38721 + pax_track_stack();
38724 case FBIOGET_VSCREENINFO:
38725 if (!lock_fb_info(info))
38726 @@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
38728 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
38730 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
38731 + if (con2fb.framebuffer >= FB_MAX)
38733 if (!registered_fb[con2fb.framebuffer])
38734 request_module("fb%d", con2fb.framebuffer);
38735 diff -urNp linux-2.6.32.43/drivers/video/i810/i810_accel.c linux-2.6.32.43/drivers/video/i810/i810_accel.c
38736 --- linux-2.6.32.43/drivers/video/i810/i810_accel.c 2011-03-27 14:31:47.000000000 -0400
38737 +++ linux-2.6.32.43/drivers/video/i810/i810_accel.c 2011-04-17 15:56:46.000000000 -0400
38738 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
38741 printk("ringbuffer lockup!!!\n");
38742 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
38743 i810_report_error(mmio);
38744 par->dev_flags |= LOCKUP;
38745 info->pixmap.scan_align = 1;
38746 diff -urNp linux-2.6.32.43/drivers/video/nvidia/nv_backlight.c linux-2.6.32.43/drivers/video/nvidia/nv_backlight.c
38747 --- linux-2.6.32.43/drivers/video/nvidia/nv_backlight.c 2011-03-27 14:31:47.000000000 -0400
38748 +++ linux-2.6.32.43/drivers/video/nvidia/nv_backlight.c 2011-04-17 15:56:46.000000000 -0400
38749 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
38750 return bd->props.brightness;
38753 -static struct backlight_ops nvidia_bl_ops = {
38754 +static const struct backlight_ops nvidia_bl_ops = {
38755 .get_brightness = nvidia_bl_get_brightness,
38756 .update_status = nvidia_bl_update_status,
38758 diff -urNp linux-2.6.32.43/drivers/video/riva/fbdev.c linux-2.6.32.43/drivers/video/riva/fbdev.c
38759 --- linux-2.6.32.43/drivers/video/riva/fbdev.c 2011-03-27 14:31:47.000000000 -0400
38760 +++ linux-2.6.32.43/drivers/video/riva/fbdev.c 2011-04-17 15:56:46.000000000 -0400
38761 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
38762 return bd->props.brightness;
38765 -static struct backlight_ops riva_bl_ops = {
38766 +static const struct backlight_ops riva_bl_ops = {
38767 .get_brightness = riva_bl_get_brightness,
38768 .update_status = riva_bl_update_status,
38770 diff -urNp linux-2.6.32.43/drivers/video/uvesafb.c linux-2.6.32.43/drivers/video/uvesafb.c
38771 --- linux-2.6.32.43/drivers/video/uvesafb.c 2011-03-27 14:31:47.000000000 -0400
38772 +++ linux-2.6.32.43/drivers/video/uvesafb.c 2011-04-17 15:56:46.000000000 -0400
38774 #include <linux/fb.h>
38775 #include <linux/io.h>
38776 #include <linux/mutex.h>
38777 +#include <linux/moduleloader.h>
38778 #include <video/edid.h>
38779 #include <video/uvesafb.h>
38781 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
38785 - return call_usermodehelper(v86d_path, argv, envp, 1);
38786 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
38790 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
38791 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
38792 par->pmi_setpal = par->ypan = 0;
38795 +#ifdef CONFIG_PAX_KERNEXEC
38796 +#ifdef CONFIG_MODULES
38797 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
38799 + if (!par->pmi_code) {
38800 + par->pmi_setpal = par->ypan = 0;
38805 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
38806 + task->t.regs.edi);
38808 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38809 + pax_open_kernel();
38810 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
38811 + pax_close_kernel();
38813 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
38814 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
38816 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
38817 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
38820 printk(KERN_INFO "uvesafb: protected mode interface info at "
38822 (u16)task->t.regs.es, (u16)task->t.regs.edi);
38823 @@ -1799,6 +1822,11 @@ out:
38824 if (par->vbe_modes)
38825 kfree(par->vbe_modes);
38827 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38828 + if (par->pmi_code)
38829 + module_free_exec(NULL, par->pmi_code);
38832 framebuffer_release(info);
38835 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
38836 kfree(par->vbe_state_orig);
38837 if (par->vbe_state_saved)
38838 kfree(par->vbe_state_saved);
38840 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38841 + if (par->pmi_code)
38842 + module_free_exec(NULL, par->pmi_code);
38847 framebuffer_release(info);
38848 diff -urNp linux-2.6.32.43/drivers/video/vesafb.c linux-2.6.32.43/drivers/video/vesafb.c
38849 --- linux-2.6.32.43/drivers/video/vesafb.c 2011-03-27 14:31:47.000000000 -0400
38850 +++ linux-2.6.32.43/drivers/video/vesafb.c 2011-08-05 20:33:55.000000000 -0400
38854 #include <linux/module.h>
38855 +#include <linux/moduleloader.h>
38856 #include <linux/kernel.h>
38857 #include <linux/errno.h>
38858 #include <linux/string.h>
38859 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
38860 static int vram_total __initdata; /* Set total amount of memory */
38861 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
38862 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
38863 -static void (*pmi_start)(void) __read_mostly;
38864 -static void (*pmi_pal) (void) __read_mostly;
38865 +static void (*pmi_start)(void) __read_only;
38866 +static void (*pmi_pal) (void) __read_only;
38867 static int depth __read_mostly;
38868 static int vga_compat __read_mostly;
38869 /* --------------------------------------------------------------------- */
38870 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
38871 unsigned int size_vmode;
38872 unsigned int size_remap;
38873 unsigned int size_total;
38874 + void *pmi_code = NULL;
38876 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
38878 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
38879 size_remap = size_total;
38880 vesafb_fix.smem_len = size_remap;
38883 - screen_info.vesapm_seg = 0;
38886 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
38887 printk(KERN_WARNING
38888 "vesafb: cannot reserve video memory at 0x%lx\n",
38889 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
38890 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
38891 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
38895 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38896 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
38898 +#elif !defined(CONFIG_PAX_KERNEXEC)
38903 + screen_info.vesapm_seg = 0;
38905 if (screen_info.vesapm_seg) {
38906 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
38907 - screen_info.vesapm_seg,screen_info.vesapm_off);
38908 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
38909 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
38912 if (screen_info.vesapm_seg < 0xc000)
38913 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
38915 if (ypan || pmi_setpal) {
38916 unsigned short *pmi_base;
38918 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
38919 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
38920 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
38922 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38923 + pax_open_kernel();
38924 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
38926 + pmi_code = pmi_base;
38929 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
38930 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
38932 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38933 + pmi_start = ktva_ktla(pmi_start);
38934 + pmi_pal = ktva_ktla(pmi_pal);
38935 + pax_close_kernel();
38938 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
38940 printk(KERN_INFO "vesafb: pmi: ports = ");
38941 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
38942 info->node, info->fix.id);
38946 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
38947 + module_free_exec(NULL, pmi_code);
38950 if (info->screen_base)
38951 iounmap(info->screen_base);
38952 framebuffer_release(info);
38953 diff -urNp linux-2.6.32.43/drivers/xen/sys-hypervisor.c linux-2.6.32.43/drivers/xen/sys-hypervisor.c
38954 --- linux-2.6.32.43/drivers/xen/sys-hypervisor.c 2011-03-27 14:31:47.000000000 -0400
38955 +++ linux-2.6.32.43/drivers/xen/sys-hypervisor.c 2011-04-17 15:56:46.000000000 -0400
38956 @@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
38960 -static struct sysfs_ops hyp_sysfs_ops = {
38961 +static const struct sysfs_ops hyp_sysfs_ops = {
38962 .show = hyp_sysfs_show,
38963 .store = hyp_sysfs_store,
38965 diff -urNp linux-2.6.32.43/fs/9p/vfs_inode.c linux-2.6.32.43/fs/9p/vfs_inode.c
38966 --- linux-2.6.32.43/fs/9p/vfs_inode.c 2011-03-27 14:31:47.000000000 -0400
38967 +++ linux-2.6.32.43/fs/9p/vfs_inode.c 2011-04-17 15:56:46.000000000 -0400
38968 @@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
38970 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
38972 - char *s = nd_get_link(nd);
38973 + const char *s = nd_get_link(nd);
38975 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
38976 IS_ERR(s) ? "<error>" : s);
38977 diff -urNp linux-2.6.32.43/fs/aio.c linux-2.6.32.43/fs/aio.c
38978 --- linux-2.6.32.43/fs/aio.c 2011-03-27 14:31:47.000000000 -0400
38979 +++ linux-2.6.32.43/fs/aio.c 2011-06-04 20:40:21.000000000 -0400
38980 @@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
38981 size += sizeof(struct io_event) * nr_events;
38982 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
38984 - if (nr_pages < 0)
38985 + if (nr_pages <= 0)
38988 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
38989 @@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
38990 struct aio_timeout to;
38993 + pax_track_stack();
38995 /* needed to zero any padding within an entry (there shouldn't be
38996 * any, but C is fun!
38998 @@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
38999 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
39002 + struct iovec iovstack;
39004 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
39005 kiocb->ki_nbytes, 1,
39006 - &kiocb->ki_inline_vec, &kiocb->ki_iovec);
39007 + &iovstack, &kiocb->ki_iovec);
39011 + if (kiocb->ki_iovec == &iovstack) {
39012 + kiocb->ki_inline_vec = iovstack;
39013 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
39015 kiocb->ki_nr_segs = kiocb->ki_nbytes;
39016 kiocb->ki_cur_seg = 0;
39017 /* ki_nbytes/left now reflect bytes instead of segs */
39018 diff -urNp linux-2.6.32.43/fs/attr.c linux-2.6.32.43/fs/attr.c
39019 --- linux-2.6.32.43/fs/attr.c 2011-03-27 14:31:47.000000000 -0400
39020 +++ linux-2.6.32.43/fs/attr.c 2011-04-17 15:56:46.000000000 -0400
39021 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
39022 unsigned long limit;
39024 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
39025 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
39026 if (limit != RLIM_INFINITY && offset > limit)
39028 if (offset > inode->i_sb->s_maxbytes)
39029 diff -urNp linux-2.6.32.43/fs/autofs/root.c linux-2.6.32.43/fs/autofs/root.c
39030 --- linux-2.6.32.43/fs/autofs/root.c 2011-03-27 14:31:47.000000000 -0400
39031 +++ linux-2.6.32.43/fs/autofs/root.c 2011-04-17 15:56:46.000000000 -0400
39032 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
39033 set_bit(n,sbi->symlink_bitmap);
39034 sl = &sbi->symlink[n];
39035 sl->len = strlen(symname);
39036 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
39037 + slsize = sl->len+1;
39038 + sl->data = kmalloc(slsize, GFP_KERNEL);
39040 clear_bit(n,sbi->symlink_bitmap);
39042 diff -urNp linux-2.6.32.43/fs/autofs4/symlink.c linux-2.6.32.43/fs/autofs4/symlink.c
39043 --- linux-2.6.32.43/fs/autofs4/symlink.c 2011-03-27 14:31:47.000000000 -0400
39044 +++ linux-2.6.32.43/fs/autofs4/symlink.c 2011-04-17 15:56:46.000000000 -0400
39046 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
39048 struct autofs_info *ino = autofs4_dentry_ino(dentry);
39049 - nd_set_link(nd, (char *)ino->u.symlink);
39050 + nd_set_link(nd, ino->u.symlink);
39054 diff -urNp linux-2.6.32.43/fs/befs/linuxvfs.c linux-2.6.32.43/fs/befs/linuxvfs.c
39055 --- linux-2.6.32.43/fs/befs/linuxvfs.c 2011-03-27 14:31:47.000000000 -0400
39056 +++ linux-2.6.32.43/fs/befs/linuxvfs.c 2011-04-17 15:56:46.000000000 -0400
39057 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
39059 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
39060 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
39061 - char *link = nd_get_link(nd);
39062 + const char *link = nd_get_link(nd);
39066 diff -urNp linux-2.6.32.43/fs/binfmt_aout.c linux-2.6.32.43/fs/binfmt_aout.c
39067 --- linux-2.6.32.43/fs/binfmt_aout.c 2011-03-27 14:31:47.000000000 -0400
39068 +++ linux-2.6.32.43/fs/binfmt_aout.c 2011-04-17 15:56:46.000000000 -0400
39070 #include <linux/string.h>
39071 #include <linux/fs.h>
39072 #include <linux/file.h>
39073 +#include <linux/security.h>
39074 #include <linux/stat.h>
39075 #include <linux/fcntl.h>
39076 #include <linux/ptrace.h>
39077 @@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
39079 # define START_STACK(u) (u.start_stack)
39081 + memset(&dump, 0, sizeof(dump));
39086 @@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
39088 /* If the size of the dump file exceeds the rlimit, then see what would happen
39089 if we wrote the stack, but not the data area. */
39090 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
39091 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
39094 /* Make sure we have enough room to write the stack and data areas. */
39095 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
39096 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
39099 @@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
39100 dump_size = dump.u_ssize << PAGE_SHIFT;
39101 DUMP_WRITE(dump_start,dump_size);
39103 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
39104 - set_fs(KERNEL_DS);
39105 - DUMP_WRITE(current,sizeof(*current));
39106 +/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
39110 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
39111 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
39112 if (rlim >= RLIM_INFINITY)
39115 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
39116 if (ex.a_data + ex.a_bss > rlim)
39119 @@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
39120 install_exec_creds(bprm);
39121 current->flags &= ~PF_FORKNOEXEC;
39123 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39124 + current->mm->pax_flags = 0UL;
39127 +#ifdef CONFIG_PAX_PAGEEXEC
39128 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
39129 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
39131 +#ifdef CONFIG_PAX_EMUTRAMP
39132 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
39133 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
39136 +#ifdef CONFIG_PAX_MPROTECT
39137 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
39138 + current->mm->pax_flags |= MF_PAX_MPROTECT;
39144 if (N_MAGIC(ex) == OMAGIC) {
39145 unsigned long text_addr, map_size;
39147 @@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
39149 down_write(¤t->mm->mmap_sem);
39150 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
39151 - PROT_READ | PROT_WRITE | PROT_EXEC,
39152 + PROT_READ | PROT_WRITE,
39153 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
39154 fd_offset + ex.a_text);
39155 up_write(¤t->mm->mmap_sem);
39156 diff -urNp linux-2.6.32.43/fs/binfmt_elf.c linux-2.6.32.43/fs/binfmt_elf.c
39157 --- linux-2.6.32.43/fs/binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
39158 +++ linux-2.6.32.43/fs/binfmt_elf.c 2011-05-16 21:46:57.000000000 -0400
39159 @@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
39160 #define elf_core_dump NULL
39163 +#ifdef CONFIG_PAX_MPROTECT
39164 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
39167 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
39168 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
39170 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
39171 .load_binary = load_elf_binary,
39172 .load_shlib = load_elf_library,
39173 .core_dump = elf_core_dump,
39175 +#ifdef CONFIG_PAX_MPROTECT
39176 + .handle_mprotect= elf_handle_mprotect,
39179 .min_coredump = ELF_EXEC_PAGESIZE,
39182 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
39184 static int set_brk(unsigned long start, unsigned long end)
39186 + unsigned long e = end;
39188 start = ELF_PAGEALIGN(start);
39189 end = ELF_PAGEALIGN(end);
39191 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
39192 if (BAD_ADDR(addr))
39195 - current->mm->start_brk = current->mm->brk = end;
39196 + current->mm->start_brk = current->mm->brk = e;
39200 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
39201 elf_addr_t __user *u_rand_bytes;
39202 const char *k_platform = ELF_PLATFORM;
39203 const char *k_base_platform = ELF_BASE_PLATFORM;
39204 - unsigned char k_rand_bytes[16];
39205 + u32 k_rand_bytes[4];
39207 elf_addr_t *elf_info;
39209 const struct cred *cred = current_cred();
39210 struct vm_area_struct *vma;
39211 + unsigned long saved_auxv[AT_VECTOR_SIZE];
39213 + pax_track_stack();
39216 * In some cases (e.g. Hyper-Threading), we want to avoid L1
39217 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
39218 * Generate 16 random bytes for userspace PRNG seeding.
39220 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
39221 - u_rand_bytes = (elf_addr_t __user *)
39222 - STACK_ALLOC(p, sizeof(k_rand_bytes));
39223 + srandom32(k_rand_bytes[0] ^ random32());
39224 + srandom32(k_rand_bytes[1] ^ random32());
39225 + srandom32(k_rand_bytes[2] ^ random32());
39226 + srandom32(k_rand_bytes[3] ^ random32());
39227 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
39228 + u_rand_bytes = (elf_addr_t __user *) p;
39229 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
39232 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
39234 current->mm->env_end = p;
39236 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
39238 /* Put the elf_info on the stack in the right place. */
39239 sp = (elf_addr_t __user *)envp + 1;
39240 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
39241 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
39245 @@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
39247 struct elf_phdr *elf_phdata;
39248 struct elf_phdr *eppnt;
39249 - unsigned long load_addr = 0;
39250 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
39251 int load_addr_set = 0;
39252 unsigned long last_bss = 0, elf_bss = 0;
39253 - unsigned long error = ~0UL;
39254 + unsigned long error = -EINVAL;
39255 unsigned long total_size;
39256 int retval, i, size;
39258 @@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
39262 +#ifdef CONFIG_PAX_SEGMEXEC
39263 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
39264 + pax_task_size = SEGMEXEC_TASK_SIZE;
39267 eppnt = elf_phdata;
39268 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
39269 if (eppnt->p_type == PT_LOAD) {
39270 @@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
39271 k = load_addr + eppnt->p_vaddr;
39273 eppnt->p_filesz > eppnt->p_memsz ||
39274 - eppnt->p_memsz > TASK_SIZE ||
39275 - TASK_SIZE - eppnt->p_memsz < k) {
39276 + eppnt->p_memsz > pax_task_size ||
39277 + pax_task_size - eppnt->p_memsz < k) {
39281 @@ -532,6 +557,194 @@ out:
39285 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
39286 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
39288 + unsigned long pax_flags = 0UL;
39290 +#ifdef CONFIG_PAX_PAGEEXEC
39291 + if (elf_phdata->p_flags & PF_PAGEEXEC)
39292 + pax_flags |= MF_PAX_PAGEEXEC;
39295 +#ifdef CONFIG_PAX_SEGMEXEC
39296 + if (elf_phdata->p_flags & PF_SEGMEXEC)
39297 + pax_flags |= MF_PAX_SEGMEXEC;
39300 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39301 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39303 + pax_flags &= ~MF_PAX_SEGMEXEC;
39305 + pax_flags &= ~MF_PAX_PAGEEXEC;
39309 +#ifdef CONFIG_PAX_EMUTRAMP
39310 + if (elf_phdata->p_flags & PF_EMUTRAMP)
39311 + pax_flags |= MF_PAX_EMUTRAMP;
39314 +#ifdef CONFIG_PAX_MPROTECT
39315 + if (elf_phdata->p_flags & PF_MPROTECT)
39316 + pax_flags |= MF_PAX_MPROTECT;
39319 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39320 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
39321 + pax_flags |= MF_PAX_RANDMMAP;
39324 + return pax_flags;
39328 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39329 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
39331 + unsigned long pax_flags = 0UL;
39333 +#ifdef CONFIG_PAX_PAGEEXEC
39334 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
39335 + pax_flags |= MF_PAX_PAGEEXEC;
39338 +#ifdef CONFIG_PAX_SEGMEXEC
39339 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
39340 + pax_flags |= MF_PAX_SEGMEXEC;
39343 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39344 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39346 + pax_flags &= ~MF_PAX_SEGMEXEC;
39348 + pax_flags &= ~MF_PAX_PAGEEXEC;
39352 +#ifdef CONFIG_PAX_EMUTRAMP
39353 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
39354 + pax_flags |= MF_PAX_EMUTRAMP;
39357 +#ifdef CONFIG_PAX_MPROTECT
39358 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
39359 + pax_flags |= MF_PAX_MPROTECT;
39362 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
39363 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
39364 + pax_flags |= MF_PAX_RANDMMAP;
39367 + return pax_flags;
39371 +#ifdef CONFIG_PAX_EI_PAX
39372 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
39374 + unsigned long pax_flags = 0UL;
39376 +#ifdef CONFIG_PAX_PAGEEXEC
39377 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
39378 + pax_flags |= MF_PAX_PAGEEXEC;
39381 +#ifdef CONFIG_PAX_SEGMEXEC
39382 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
39383 + pax_flags |= MF_PAX_SEGMEXEC;
39386 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
39387 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39389 + pax_flags &= ~MF_PAX_SEGMEXEC;
39391 + pax_flags &= ~MF_PAX_PAGEEXEC;
39395 +#ifdef CONFIG_PAX_EMUTRAMP
39396 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
39397 + pax_flags |= MF_PAX_EMUTRAMP;
39400 +#ifdef CONFIG_PAX_MPROTECT
39401 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
39402 + pax_flags |= MF_PAX_MPROTECT;
39405 +#ifdef CONFIG_PAX_ASLR
39406 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
39407 + pax_flags |= MF_PAX_RANDMMAP;
39410 + return pax_flags;
39414 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39415 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
39417 + unsigned long pax_flags = 0UL;
39419 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39421 + int found_flags = 0;
39424 +#ifdef CONFIG_PAX_EI_PAX
39425 + pax_flags = pax_parse_ei_pax(elf_ex);
39428 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
39429 + for (i = 0UL; i < elf_ex->e_phnum; i++)
39430 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
39431 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
39432 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
39433 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
39434 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
39435 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
39438 +#ifdef CONFIG_PAX_SOFTMODE
39439 + if (pax_softmode)
39440 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
39444 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
39450 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
39451 + if (found_flags == 0) {
39452 + struct elf_phdr phdr;
39453 + memset(&phdr, 0, sizeof(phdr));
39454 + phdr.p_flags = PF_NOEMUTRAMP;
39455 +#ifdef CONFIG_PAX_SOFTMODE
39456 + if (pax_softmode)
39457 + pax_flags = pax_parse_softmode(&phdr);
39460 + pax_flags = pax_parse_hardmode(&phdr);
39465 + if (0 > pax_check_flags(&pax_flags))
39468 + current->mm->pax_flags = pax_flags;
39474 * These are the functions used to load ELF style executables and shared
39475 * libraries. There is no binary dependent code anywhere else.
39476 @@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
39478 unsigned int random_variable = 0;
39480 +#ifdef CONFIG_PAX_RANDUSTACK
39481 + if (randomize_va_space)
39482 + return stack_top - current->mm->delta_stack;
39485 if ((current->flags & PF_RANDOMIZE) &&
39486 !(current->personality & ADDR_NO_RANDOMIZE)) {
39487 random_variable = get_random_int() & STACK_RND_MASK;
39488 @@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
39489 unsigned long load_addr = 0, load_bias = 0;
39490 int load_addr_set = 0;
39491 char * elf_interpreter = NULL;
39492 - unsigned long error;
39493 + unsigned long error = 0;
39494 struct elf_phdr *elf_ppnt, *elf_phdata;
39495 unsigned long elf_bss, elf_brk;
39497 @@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
39498 unsigned long start_code, end_code, start_data, end_data;
39499 unsigned long reloc_func_desc = 0;
39500 int executable_stack = EXSTACK_DEFAULT;
39501 - unsigned long def_flags = 0;
39503 struct elfhdr elf_ex;
39504 struct elfhdr interp_elf_ex;
39506 + unsigned long pax_task_size = TASK_SIZE;
39508 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
39510 @@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
39512 /* OK, This is the point of no return */
39513 current->flags &= ~PF_FORKNOEXEC;
39514 - current->mm->def_flags = def_flags;
39516 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
39517 + current->mm->pax_flags = 0UL;
39520 +#ifdef CONFIG_PAX_DLRESOLVE
39521 + current->mm->call_dl_resolve = 0UL;
39524 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
39525 + current->mm->call_syscall = 0UL;
39528 +#ifdef CONFIG_PAX_ASLR
39529 + current->mm->delta_mmap = 0UL;
39530 + current->mm->delta_stack = 0UL;
39533 + current->mm->def_flags = 0;
39535 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
39536 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
39537 + send_sig(SIGKILL, current, 0);
39538 + goto out_free_dentry;
39542 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
39543 + pax_set_initial_flags(bprm);
39544 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
39545 + if (pax_set_initial_flags_func)
39546 + (pax_set_initial_flags_func)(bprm);
39549 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
39550 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
39551 + current->mm->context.user_cs_limit = PAGE_SIZE;
39552 + current->mm->def_flags |= VM_PAGEEXEC;
39556 +#ifdef CONFIG_PAX_SEGMEXEC
39557 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
39558 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
39559 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
39560 + pax_task_size = SEGMEXEC_TASK_SIZE;
39564 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
39565 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39566 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
39571 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
39572 may depend on the personality. */
39573 SET_PERSONALITY(loc->elf_ex);
39575 +#ifdef CONFIG_PAX_ASLR
39576 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
39577 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
39578 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
39582 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
39583 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
39584 + executable_stack = EXSTACK_DISABLE_X;
39585 + current->personality &= ~READ_IMPLIES_EXEC;
39589 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
39590 current->personality |= READ_IMPLIES_EXEC;
39592 @@ -804,6 +1091,20 @@ static int load_elf_binary(struct linux_
39594 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
39597 +#ifdef CONFIG_PAX_RANDMMAP
39598 + /* PaX: randomize base address at the default exe base if requested */
39599 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
39600 +#ifdef CONFIG_SPARC64
39601 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
39603 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
39605 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
39606 + elf_flags |= MAP_FIXED;
39612 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
39613 @@ -836,9 +1137,9 @@ static int load_elf_binary(struct linux_
39614 * allowed task size. Note that p_filesz must always be
39615 * <= p_memsz so it is only necessary to check p_memsz.
39617 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
39618 - elf_ppnt->p_memsz > TASK_SIZE ||
39619 - TASK_SIZE - elf_ppnt->p_memsz < k) {
39620 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
39621 + elf_ppnt->p_memsz > pax_task_size ||
39622 + pax_task_size - elf_ppnt->p_memsz < k) {
39623 /* set_brk can never work. Avoid overflows. */
39624 send_sig(SIGKILL, current, 0);
39626 @@ -866,6 +1167,11 @@ static int load_elf_binary(struct linux_
39627 start_data += load_bias;
39628 end_data += load_bias;
39630 +#ifdef CONFIG_PAX_RANDMMAP
39631 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
39632 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
39635 /* Calling set_brk effectively mmaps the pages that we need
39636 * for the bss and break sections. We must do this before
39637 * mapping in the interpreter, to make sure it doesn't wind
39638 @@ -877,9 +1183,11 @@ static int load_elf_binary(struct linux_
39639 goto out_free_dentry;
39641 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
39642 - send_sig(SIGSEGV, current, 0);
39643 - retval = -EFAULT; /* Nobody gets to see this, but.. */
39644 - goto out_free_dentry;
39646 + * This bss-zeroing can fail if the ELF
39647 + * file specifies odd protections. So
39648 + * we don't check the return value
39652 if (elf_interpreter) {
39653 @@ -1112,8 +1420,10 @@ static int dump_seek(struct file *file,
39654 unsigned long n = off;
39657 - if (!dump_write(file, buf, n))
39658 + if (!dump_write(file, buf, n)) {
39659 + free_page((unsigned long)buf);
39664 free_page((unsigned long)buf);
39665 @@ -1125,7 +1435,7 @@ static int dump_seek(struct file *file,
39666 * Decide what to dump of a segment, part, all or none.
39668 static unsigned long vma_dump_size(struct vm_area_struct *vma,
39669 - unsigned long mm_flags)
39670 + unsigned long mm_flags, long signr)
39672 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
39674 @@ -1159,7 +1469,7 @@ static unsigned long vma_dump_size(struc
39675 if (vma->vm_file == NULL)
39678 - if (FILTER(MAPPED_PRIVATE))
39679 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
39683 @@ -1255,8 +1565,11 @@ static int writenote(struct memelfnote *
39686 #define DUMP_WRITE(addr, nr) \
39688 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
39689 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
39690 - goto end_coredump;
39691 + goto end_coredump; \
39694 static void fill_elf_header(struct elfhdr *elf, int segs,
39695 u16 machine, u32 flags, u8 osabi)
39696 @@ -1385,9 +1698,9 @@ static void fill_auxv_note(struct memelf
39698 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
39703 - while (auxv[i - 2] != AT_NULL);
39704 + } while (auxv[i - 2] != AT_NULL);
39705 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
39708 @@ -1973,7 +2286,7 @@ static int elf_core_dump(long signr, str
39709 phdr.p_offset = offset;
39710 phdr.p_vaddr = vma->vm_start;
39712 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
39713 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
39714 phdr.p_memsz = vma->vm_end - vma->vm_start;
39715 offset += phdr.p_filesz;
39716 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
39717 @@ -2006,7 +2319,7 @@ static int elf_core_dump(long signr, str
39718 unsigned long addr;
39721 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
39722 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
39724 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
39726 @@ -2015,6 +2328,7 @@ static int elf_core_dump(long signr, str
39727 page = get_dump_page(addr);
39729 void *kaddr = kmap(page);
39730 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
39731 stop = ((size += PAGE_SIZE) > limit) ||
39732 !dump_write(file, kaddr, PAGE_SIZE);
39734 @@ -2042,6 +2356,97 @@ out:
39736 #endif /* USE_ELF_CORE_DUMP */
39738 +#ifdef CONFIG_PAX_MPROTECT
39739 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
39740 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
39741 + * we'll remove VM_MAYWRITE for good on RELRO segments.
39743 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
39744 + * basis because we want to allow the common case and not the special ones.
39746 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
39748 + struct elfhdr elf_h;
39749 + struct elf_phdr elf_p;
39751 + unsigned long oldflags;
39752 + bool is_textrel_rw, is_textrel_rx, is_relro;
39754 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
39757 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
39758 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
39760 +#ifdef CONFIG_PAX_ELFRELOCS
39761 + /* possible TEXTREL */
39762 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
39763 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
39765 + is_textrel_rw = false;
39766 + is_textrel_rx = false;
39769 + /* possible RELRO */
39770 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
39772 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
39775 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
39776 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
39778 +#ifdef CONFIG_PAX_ETEXECRELOCS
39779 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
39781 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
39784 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
39785 + !elf_check_arch(&elf_h) ||
39786 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
39787 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
39790 + for (i = 0UL; i < elf_h.e_phnum; i++) {
39791 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
39793 + switch (elf_p.p_type) {
39795 + if (!is_textrel_rw && !is_textrel_rx)
39798 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
39801 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
39803 + if (dyn.d_tag == DT_NULL)
39805 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
39806 + gr_log_textrel(vma);
39807 + if (is_textrel_rw)
39808 + vma->vm_flags |= VM_MAYWRITE;
39810 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
39811 + vma->vm_flags &= ~VM_MAYWRITE;
39818 + case PT_GNU_RELRO:
39821 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
39822 + vma->vm_flags &= ~VM_MAYWRITE;
39829 static int __init init_elf_binfmt(void)
39831 return register_binfmt(&elf_format);
39832 diff -urNp linux-2.6.32.43/fs/binfmt_flat.c linux-2.6.32.43/fs/binfmt_flat.c
39833 --- linux-2.6.32.43/fs/binfmt_flat.c 2011-03-27 14:31:47.000000000 -0400
39834 +++ linux-2.6.32.43/fs/binfmt_flat.c 2011-04-17 15:56:46.000000000 -0400
39835 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
39836 realdatastart = (unsigned long) -ENOMEM;
39837 printk("Unable to allocate RAM for process data, errno %d\n",
39838 (int)-realdatastart);
39839 + down_write(¤t->mm->mmap_sem);
39840 do_munmap(current->mm, textpos, text_len);
39841 + up_write(¤t->mm->mmap_sem);
39842 ret = realdatastart;
39845 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
39847 if (IS_ERR_VALUE(result)) {
39848 printk("Unable to read data+bss, errno %d\n", (int)-result);
39849 + down_write(¤t->mm->mmap_sem);
39850 do_munmap(current->mm, textpos, text_len);
39851 do_munmap(current->mm, realdatastart, data_len + extra);
39852 + up_write(¤t->mm->mmap_sem);
39856 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
39858 if (IS_ERR_VALUE(result)) {
39859 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
39860 + down_write(¤t->mm->mmap_sem);
39861 do_munmap(current->mm, textpos, text_len + data_len + extra +
39862 MAX_SHARED_LIBS * sizeof(unsigned long));
39863 + up_write(¤t->mm->mmap_sem);
39867 diff -urNp linux-2.6.32.43/fs/bio.c linux-2.6.32.43/fs/bio.c
39868 --- linux-2.6.32.43/fs/bio.c 2011-03-27 14:31:47.000000000 -0400
39869 +++ linux-2.6.32.43/fs/bio.c 2011-04-17 15:56:46.000000000 -0400
39870 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
39873 while (i < bio_slab_nr) {
39874 - struct bio_slab *bslab = &bio_slabs[i];
39875 + bslab = &bio_slabs[i];
39877 if (!bslab->slab && entry == -1)
39879 @@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
39880 const int read = bio_data_dir(bio) == READ;
39881 struct bio_map_data *bmd = bio->bi_private;
39883 - char *p = bmd->sgvecs[0].iov_base;
39884 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
39886 __bio_for_each_segment(bvec, bio, i, 0) {
39887 char *addr = page_address(bvec->bv_page);
39888 diff -urNp linux-2.6.32.43/fs/block_dev.c linux-2.6.32.43/fs/block_dev.c
39889 --- linux-2.6.32.43/fs/block_dev.c 2011-06-25 12:55:34.000000000 -0400
39890 +++ linux-2.6.32.43/fs/block_dev.c 2011-06-25 12:56:37.000000000 -0400
39891 @@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
39892 else if (bdev->bd_contains == bdev)
39893 res = 0; /* is a whole device which isn't held */
39895 - else if (bdev->bd_contains->bd_holder == bd_claim)
39896 + else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
39897 res = 0; /* is a partition of a device that is being partitioned */
39898 else if (bdev->bd_contains->bd_holder != NULL)
39899 res = -EBUSY; /* is a partition of a held device */
39900 diff -urNp linux-2.6.32.43/fs/btrfs/ctree.c linux-2.6.32.43/fs/btrfs/ctree.c
39901 --- linux-2.6.32.43/fs/btrfs/ctree.c 2011-03-27 14:31:47.000000000 -0400
39902 +++ linux-2.6.32.43/fs/btrfs/ctree.c 2011-04-17 15:56:46.000000000 -0400
39903 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
39904 free_extent_buffer(buf);
39905 add_root_to_dirty_list(root);
39907 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
39908 - parent_start = parent->start;
39910 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
39912 + parent_start = parent->start;
39914 + parent_start = 0;
39918 WARN_ON(trans->transid != btrfs_header_generation(parent));
39919 @@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
39923 - struct btrfs_disk_key disk_key;
39924 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
39925 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
39927 diff -urNp linux-2.6.32.43/fs/btrfs/disk-io.c linux-2.6.32.43/fs/btrfs/disk-io.c
39928 --- linux-2.6.32.43/fs/btrfs/disk-io.c 2011-04-17 17:00:52.000000000 -0400
39929 +++ linux-2.6.32.43/fs/btrfs/disk-io.c 2011-04-17 17:03:11.000000000 -0400
39931 #include "tree-log.h"
39932 #include "free-space-cache.h"
39934 -static struct extent_io_ops btree_extent_io_ops;
39935 +static const struct extent_io_ops btree_extent_io_ops;
39936 static void end_workqueue_fn(struct btrfs_work *work);
39937 static void free_fs_root(struct btrfs_root *root);
39939 @@ -2607,7 +2607,7 @@ out:
39943 -static struct extent_io_ops btree_extent_io_ops = {
39944 +static const struct extent_io_ops btree_extent_io_ops = {
39945 .write_cache_pages_lock_hook = btree_lock_page_hook,
39946 .readpage_end_io_hook = btree_readpage_end_io_hook,
39947 .submit_bio_hook = btree_submit_bio_hook,
39948 diff -urNp linux-2.6.32.43/fs/btrfs/extent_io.h linux-2.6.32.43/fs/btrfs/extent_io.h
39949 --- linux-2.6.32.43/fs/btrfs/extent_io.h 2011-03-27 14:31:47.000000000 -0400
39950 +++ linux-2.6.32.43/fs/btrfs/extent_io.h 2011-04-17 15:56:46.000000000 -0400
39951 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
39952 struct bio *bio, int mirror_num,
39953 unsigned long bio_flags);
39954 struct extent_io_ops {
39955 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
39956 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
39957 u64 start, u64 end, int *page_started,
39958 unsigned long *nr_written);
39959 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
39960 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
39961 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
39962 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
39963 extent_submit_bio_hook_t *submit_bio_hook;
39964 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
39965 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
39966 size_t size, struct bio *bio,
39967 unsigned long bio_flags);
39968 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
39969 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
39970 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
39971 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
39972 u64 start, u64 end,
39973 struct extent_state *state);
39974 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
39975 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
39976 u64 start, u64 end,
39977 struct extent_state *state);
39978 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
39979 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
39980 struct extent_state *state);
39981 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
39982 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
39983 struct extent_state *state, int uptodate);
39984 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
39985 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
39986 unsigned long old, unsigned long bits);
39987 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
39988 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
39989 unsigned long bits);
39990 - int (*merge_extent_hook)(struct inode *inode,
39991 + int (* const merge_extent_hook)(struct inode *inode,
39992 struct extent_state *new,
39993 struct extent_state *other);
39994 - int (*split_extent_hook)(struct inode *inode,
39995 + int (* const split_extent_hook)(struct inode *inode,
39996 struct extent_state *orig, u64 split);
39997 - int (*write_cache_pages_lock_hook)(struct page *page);
39998 + int (* const write_cache_pages_lock_hook)(struct page *page);
40001 struct extent_io_tree {
40002 @@ -88,7 +88,7 @@ struct extent_io_tree {
40005 spinlock_t buffer_lock;
40006 - struct extent_io_ops *ops;
40007 + const struct extent_io_ops *ops;
40010 struct extent_state {
40011 diff -urNp linux-2.6.32.43/fs/btrfs/extent-tree.c linux-2.6.32.43/fs/btrfs/extent-tree.c
40012 --- linux-2.6.32.43/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400
40013 +++ linux-2.6.32.43/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400
40014 @@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
40015 u64 group_start = group->key.objectid;
40016 new_extents = kmalloc(sizeof(*new_extents),
40018 + if (!new_extents) {
40023 ret = get_new_locations(reloc_inode,
40025 diff -urNp linux-2.6.32.43/fs/btrfs/free-space-cache.c linux-2.6.32.43/fs/btrfs/free-space-cache.c
40026 --- linux-2.6.32.43/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400
40027 +++ linux-2.6.32.43/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400
40028 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
40031 if (entry->bytes < bytes || entry->offset < min_start) {
40032 - struct rb_node *node;
40034 node = rb_next(&entry->offset_index);
40037 @@ -1226,7 +1224,7 @@ again:
40039 while (entry->bitmap || found_bitmap ||
40040 (!entry->bitmap && entry->bytes < min_bytes)) {
40041 - struct rb_node *node = rb_next(&entry->offset_index);
40042 + node = rb_next(&entry->offset_index);
40044 if (entry->bitmap && entry->bytes > bytes + empty_size) {
40045 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
40046 diff -urNp linux-2.6.32.43/fs/btrfs/inode.c linux-2.6.32.43/fs/btrfs/inode.c
40047 --- linux-2.6.32.43/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400
40048 +++ linux-2.6.32.43/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400
40049 @@ -63,7 +63,7 @@ static const struct inode_operations btr
40050 static const struct address_space_operations btrfs_aops;
40051 static const struct address_space_operations btrfs_symlink_aops;
40052 static const struct file_operations btrfs_dir_file_operations;
40053 -static struct extent_io_ops btrfs_extent_io_ops;
40054 +static const struct extent_io_ops btrfs_extent_io_ops;
40056 static struct kmem_cache *btrfs_inode_cachep;
40057 struct kmem_cache *btrfs_trans_handle_cachep;
40058 @@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
40059 1, 0, NULL, GFP_NOFS);
40060 while (start < end) {
40061 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
40062 + BUG_ON(!async_cow);
40063 async_cow->inode = inode;
40064 async_cow->root = root;
40065 async_cow->locked_page = locked_page;
40066 @@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
40067 inline_size = btrfs_file_extent_inline_item_len(leaf,
40068 btrfs_item_nr(leaf, path->slots[0]));
40069 tmp = kmalloc(inline_size, GFP_NOFS);
40072 ptr = btrfs_file_extent_inline_start(item);
40074 read_extent_buffer(leaf, tmp, ptr, inline_size);
40075 @@ -5410,7 +5413,7 @@ fail:
40079 -static int btrfs_getattr(struct vfsmount *mnt,
40080 +int btrfs_getattr(struct vfsmount *mnt,
40081 struct dentry *dentry, struct kstat *stat)
40083 struct inode *inode = dentry->d_inode;
40084 @@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
40088 +EXPORT_SYMBOL(btrfs_getattr);
40090 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
40092 + return BTRFS_I(inode)->root->anon_super.s_dev;
40094 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
40096 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
40097 struct inode *new_dir, struct dentry *new_dentry)
40099 @@ -5972,7 +5983,7 @@ static const struct file_operations btrf
40100 .fsync = btrfs_sync_file,
40103 -static struct extent_io_ops btrfs_extent_io_ops = {
40104 +static const struct extent_io_ops btrfs_extent_io_ops = {
40105 .fill_delalloc = run_delalloc_range,
40106 .submit_bio_hook = btrfs_submit_bio_hook,
40107 .merge_bio_hook = btrfs_merge_bio_hook,
40108 diff -urNp linux-2.6.32.43/fs/btrfs/relocation.c linux-2.6.32.43/fs/btrfs/relocation.c
40109 --- linux-2.6.32.43/fs/btrfs/relocation.c 2011-03-27 14:31:47.000000000 -0400
40110 +++ linux-2.6.32.43/fs/btrfs/relocation.c 2011-04-17 15:56:46.000000000 -0400
40111 @@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
40113 spin_unlock(&rc->reloc_root_tree.lock);
40115 - BUG_ON((struct btrfs_root *)node->data != root);
40116 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
40119 spin_lock(&rc->reloc_root_tree.lock);
40120 diff -urNp linux-2.6.32.43/fs/btrfs/sysfs.c linux-2.6.32.43/fs/btrfs/sysfs.c
40121 --- linux-2.6.32.43/fs/btrfs/sysfs.c 2011-03-27 14:31:47.000000000 -0400
40122 +++ linux-2.6.32.43/fs/btrfs/sysfs.c 2011-04-17 15:56:46.000000000 -0400
40123 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
40124 complete(&root->kobj_unregister);
40127 -static struct sysfs_ops btrfs_super_attr_ops = {
40128 +static const struct sysfs_ops btrfs_super_attr_ops = {
40129 .show = btrfs_super_attr_show,
40130 .store = btrfs_super_attr_store,
40133 -static struct sysfs_ops btrfs_root_attr_ops = {
40134 +static const struct sysfs_ops btrfs_root_attr_ops = {
40135 .show = btrfs_root_attr_show,
40136 .store = btrfs_root_attr_store,
40138 diff -urNp linux-2.6.32.43/fs/buffer.c linux-2.6.32.43/fs/buffer.c
40139 --- linux-2.6.32.43/fs/buffer.c 2011-03-27 14:31:47.000000000 -0400
40140 +++ linux-2.6.32.43/fs/buffer.c 2011-04-17 15:56:46.000000000 -0400
40142 #include <linux/percpu.h>
40143 #include <linux/slab.h>
40144 #include <linux/capability.h>
40145 +#include <linux/security.h>
40146 #include <linux/blkdev.h>
40147 #include <linux/file.h>
40148 #include <linux/quotaops.h>
40149 diff -urNp linux-2.6.32.43/fs/cachefiles/bind.c linux-2.6.32.43/fs/cachefiles/bind.c
40150 --- linux-2.6.32.43/fs/cachefiles/bind.c 2011-03-27 14:31:47.000000000 -0400
40151 +++ linux-2.6.32.43/fs/cachefiles/bind.c 2011-04-17 15:56:46.000000000 -0400
40152 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
40155 /* start by checking things over */
40156 - ASSERT(cache->fstop_percent >= 0 &&
40157 - cache->fstop_percent < cache->fcull_percent &&
40158 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
40159 cache->fcull_percent < cache->frun_percent &&
40160 cache->frun_percent < 100);
40162 - ASSERT(cache->bstop_percent >= 0 &&
40163 - cache->bstop_percent < cache->bcull_percent &&
40164 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
40165 cache->bcull_percent < cache->brun_percent &&
40166 cache->brun_percent < 100);
40168 diff -urNp linux-2.6.32.43/fs/cachefiles/daemon.c linux-2.6.32.43/fs/cachefiles/daemon.c
40169 --- linux-2.6.32.43/fs/cachefiles/daemon.c 2011-03-27 14:31:47.000000000 -0400
40170 +++ linux-2.6.32.43/fs/cachefiles/daemon.c 2011-04-17 15:56:46.000000000 -0400
40171 @@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
40172 if (test_bit(CACHEFILES_DEAD, &cache->flags))
40175 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
40176 + if (datalen > PAGE_SIZE - 1)
40177 return -EOPNOTSUPP;
40179 /* drag the command string into the kernel so we can parse it */
40180 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
40181 if (args[0] != '%' || args[1] != '\0')
40184 - if (fstop < 0 || fstop >= cache->fcull_percent)
40185 + if (fstop >= cache->fcull_percent)
40186 return cachefiles_daemon_range_error(cache, args);
40188 cache->fstop_percent = fstop;
40189 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
40190 if (args[0] != '%' || args[1] != '\0')
40193 - if (bstop < 0 || bstop >= cache->bcull_percent)
40194 + if (bstop >= cache->bcull_percent)
40195 return cachefiles_daemon_range_error(cache, args);
40197 cache->bstop_percent = bstop;
40198 diff -urNp linux-2.6.32.43/fs/cachefiles/internal.h linux-2.6.32.43/fs/cachefiles/internal.h
40199 --- linux-2.6.32.43/fs/cachefiles/internal.h 2011-03-27 14:31:47.000000000 -0400
40200 +++ linux-2.6.32.43/fs/cachefiles/internal.h 2011-05-04 17:56:28.000000000 -0400
40201 @@ -56,7 +56,7 @@ struct cachefiles_cache {
40202 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
40203 struct rb_root active_nodes; /* active nodes (can't be culled) */
40204 rwlock_t active_lock; /* lock for active_nodes */
40205 - atomic_t gravecounter; /* graveyard uniquifier */
40206 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
40207 unsigned frun_percent; /* when to stop culling (% files) */
40208 unsigned fcull_percent; /* when to start culling (% files) */
40209 unsigned fstop_percent; /* when to stop allocating (% files) */
40210 @@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
40213 #ifdef CONFIG_CACHEFILES_HISTOGRAM
40214 -extern atomic_t cachefiles_lookup_histogram[HZ];
40215 -extern atomic_t cachefiles_mkdir_histogram[HZ];
40216 -extern atomic_t cachefiles_create_histogram[HZ];
40217 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40218 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40219 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
40221 extern int __init cachefiles_proc_init(void);
40222 extern void cachefiles_proc_cleanup(void);
40224 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
40225 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
40227 unsigned long jif = jiffies - start_jif;
40230 - atomic_inc(&histogram[jif]);
40231 + atomic_inc_unchecked(&histogram[jif]);
40235 diff -urNp linux-2.6.32.43/fs/cachefiles/namei.c linux-2.6.32.43/fs/cachefiles/namei.c
40236 --- linux-2.6.32.43/fs/cachefiles/namei.c 2011-03-27 14:31:47.000000000 -0400
40237 +++ linux-2.6.32.43/fs/cachefiles/namei.c 2011-05-04 17:56:28.000000000 -0400
40238 @@ -250,7 +250,7 @@ try_again:
40239 /* first step is to make up a grave dentry in the graveyard */
40240 sprintf(nbuffer, "%08x%08x",
40241 (uint32_t) get_seconds(),
40242 - (uint32_t) atomic_inc_return(&cache->gravecounter));
40243 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
40245 /* do the multiway lock magic */
40246 trap = lock_rename(cache->graveyard, dir);
40247 diff -urNp linux-2.6.32.43/fs/cachefiles/proc.c linux-2.6.32.43/fs/cachefiles/proc.c
40248 --- linux-2.6.32.43/fs/cachefiles/proc.c 2011-03-27 14:31:47.000000000 -0400
40249 +++ linux-2.6.32.43/fs/cachefiles/proc.c 2011-05-04 17:56:28.000000000 -0400
40251 #include <linux/seq_file.h>
40252 #include "internal.h"
40254 -atomic_t cachefiles_lookup_histogram[HZ];
40255 -atomic_t cachefiles_mkdir_histogram[HZ];
40256 -atomic_t cachefiles_create_histogram[HZ];
40257 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
40258 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
40259 +atomic_unchecked_t cachefiles_create_histogram[HZ];
40262 * display the latency histogram
40263 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
40266 index = (unsigned long) v - 3;
40267 - x = atomic_read(&cachefiles_lookup_histogram[index]);
40268 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
40269 - z = atomic_read(&cachefiles_create_histogram[index]);
40270 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
40271 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
40272 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
40273 if (x == 0 && y == 0 && z == 0)
40276 diff -urNp linux-2.6.32.43/fs/cachefiles/rdwr.c linux-2.6.32.43/fs/cachefiles/rdwr.c
40277 --- linux-2.6.32.43/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400
40278 +++ linux-2.6.32.43/fs/cachefiles/rdwr.c 2011-04-17 15:56:46.000000000 -0400
40279 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
40282 ret = file->f_op->write(
40283 - file, (const void __user *) data, len, &pos);
40284 + file, (__force const void __user *) data, len, &pos);
40288 diff -urNp linux-2.6.32.43/fs/cifs/cifs_debug.c linux-2.6.32.43/fs/cifs/cifs_debug.c
40289 --- linux-2.6.32.43/fs/cifs/cifs_debug.c 2011-03-27 14:31:47.000000000 -0400
40290 +++ linux-2.6.32.43/fs/cifs/cifs_debug.c 2011-05-04 17:56:28.000000000 -0400
40291 @@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
40292 tcon = list_entry(tmp3,
40293 struct cifsTconInfo,
40295 - atomic_set(&tcon->num_smbs_sent, 0);
40296 - atomic_set(&tcon->num_writes, 0);
40297 - atomic_set(&tcon->num_reads, 0);
40298 - atomic_set(&tcon->num_oplock_brks, 0);
40299 - atomic_set(&tcon->num_opens, 0);
40300 - atomic_set(&tcon->num_posixopens, 0);
40301 - atomic_set(&tcon->num_posixmkdirs, 0);
40302 - atomic_set(&tcon->num_closes, 0);
40303 - atomic_set(&tcon->num_deletes, 0);
40304 - atomic_set(&tcon->num_mkdirs, 0);
40305 - atomic_set(&tcon->num_rmdirs, 0);
40306 - atomic_set(&tcon->num_renames, 0);
40307 - atomic_set(&tcon->num_t2renames, 0);
40308 - atomic_set(&tcon->num_ffirst, 0);
40309 - atomic_set(&tcon->num_fnext, 0);
40310 - atomic_set(&tcon->num_fclose, 0);
40311 - atomic_set(&tcon->num_hardlinks, 0);
40312 - atomic_set(&tcon->num_symlinks, 0);
40313 - atomic_set(&tcon->num_locks, 0);
40314 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
40315 + atomic_set_unchecked(&tcon->num_writes, 0);
40316 + atomic_set_unchecked(&tcon->num_reads, 0);
40317 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
40318 + atomic_set_unchecked(&tcon->num_opens, 0);
40319 + atomic_set_unchecked(&tcon->num_posixopens, 0);
40320 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
40321 + atomic_set_unchecked(&tcon->num_closes, 0);
40322 + atomic_set_unchecked(&tcon->num_deletes, 0);
40323 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
40324 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
40325 + atomic_set_unchecked(&tcon->num_renames, 0);
40326 + atomic_set_unchecked(&tcon->num_t2renames, 0);
40327 + atomic_set_unchecked(&tcon->num_ffirst, 0);
40328 + atomic_set_unchecked(&tcon->num_fnext, 0);
40329 + atomic_set_unchecked(&tcon->num_fclose, 0);
40330 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
40331 + atomic_set_unchecked(&tcon->num_symlinks, 0);
40332 + atomic_set_unchecked(&tcon->num_locks, 0);
40336 @@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
40337 if (tcon->need_reconnect)
40338 seq_puts(m, "\tDISCONNECTED ");
40339 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
40340 - atomic_read(&tcon->num_smbs_sent),
40341 - atomic_read(&tcon->num_oplock_brks));
40342 + atomic_read_unchecked(&tcon->num_smbs_sent),
40343 + atomic_read_unchecked(&tcon->num_oplock_brks));
40344 seq_printf(m, "\nReads: %d Bytes: %lld",
40345 - atomic_read(&tcon->num_reads),
40346 + atomic_read_unchecked(&tcon->num_reads),
40347 (long long)(tcon->bytes_read));
40348 seq_printf(m, "\nWrites: %d Bytes: %lld",
40349 - atomic_read(&tcon->num_writes),
40350 + atomic_read_unchecked(&tcon->num_writes),
40351 (long long)(tcon->bytes_written));
40352 seq_printf(m, "\nFlushes: %d",
40353 - atomic_read(&tcon->num_flushes));
40354 + atomic_read_unchecked(&tcon->num_flushes));
40355 seq_printf(m, "\nLocks: %d HardLinks: %d "
40357 - atomic_read(&tcon->num_locks),
40358 - atomic_read(&tcon->num_hardlinks),
40359 - atomic_read(&tcon->num_symlinks));
40360 + atomic_read_unchecked(&tcon->num_locks),
40361 + atomic_read_unchecked(&tcon->num_hardlinks),
40362 + atomic_read_unchecked(&tcon->num_symlinks));
40363 seq_printf(m, "\nOpens: %d Closes: %d "
40365 - atomic_read(&tcon->num_opens),
40366 - atomic_read(&tcon->num_closes),
40367 - atomic_read(&tcon->num_deletes));
40368 + atomic_read_unchecked(&tcon->num_opens),
40369 + atomic_read_unchecked(&tcon->num_closes),
40370 + atomic_read_unchecked(&tcon->num_deletes));
40371 seq_printf(m, "\nPosix Opens: %d "
40372 "Posix Mkdirs: %d",
40373 - atomic_read(&tcon->num_posixopens),
40374 - atomic_read(&tcon->num_posixmkdirs));
40375 + atomic_read_unchecked(&tcon->num_posixopens),
40376 + atomic_read_unchecked(&tcon->num_posixmkdirs));
40377 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
40378 - atomic_read(&tcon->num_mkdirs),
40379 - atomic_read(&tcon->num_rmdirs));
40380 + atomic_read_unchecked(&tcon->num_mkdirs),
40381 + atomic_read_unchecked(&tcon->num_rmdirs));
40382 seq_printf(m, "\nRenames: %d T2 Renames %d",
40383 - atomic_read(&tcon->num_renames),
40384 - atomic_read(&tcon->num_t2renames));
40385 + atomic_read_unchecked(&tcon->num_renames),
40386 + atomic_read_unchecked(&tcon->num_t2renames));
40387 seq_printf(m, "\nFindFirst: %d FNext %d "
40389 - atomic_read(&tcon->num_ffirst),
40390 - atomic_read(&tcon->num_fnext),
40391 - atomic_read(&tcon->num_fclose));
40392 + atomic_read_unchecked(&tcon->num_ffirst),
40393 + atomic_read_unchecked(&tcon->num_fnext),
40394 + atomic_read_unchecked(&tcon->num_fclose));
40398 diff -urNp linux-2.6.32.43/fs/cifs/cifsglob.h linux-2.6.32.43/fs/cifs/cifsglob.h
40399 --- linux-2.6.32.43/fs/cifs/cifsglob.h 2011-03-27 14:31:47.000000000 -0400
40400 +++ linux-2.6.32.43/fs/cifs/cifsglob.h 2011-05-04 17:56:28.000000000 -0400
40401 @@ -252,28 +252,28 @@ struct cifsTconInfo {
40402 __u16 Flags; /* optional support bits */
40403 enum statusEnum tidStatus;
40404 #ifdef CONFIG_CIFS_STATS
40405 - atomic_t num_smbs_sent;
40406 - atomic_t num_writes;
40407 - atomic_t num_reads;
40408 - atomic_t num_flushes;
40409 - atomic_t num_oplock_brks;
40410 - atomic_t num_opens;
40411 - atomic_t num_closes;
40412 - atomic_t num_deletes;
40413 - atomic_t num_mkdirs;
40414 - atomic_t num_posixopens;
40415 - atomic_t num_posixmkdirs;
40416 - atomic_t num_rmdirs;
40417 - atomic_t num_renames;
40418 - atomic_t num_t2renames;
40419 - atomic_t num_ffirst;
40420 - atomic_t num_fnext;
40421 - atomic_t num_fclose;
40422 - atomic_t num_hardlinks;
40423 - atomic_t num_symlinks;
40424 - atomic_t num_locks;
40425 - atomic_t num_acl_get;
40426 - atomic_t num_acl_set;
40427 + atomic_unchecked_t num_smbs_sent;
40428 + atomic_unchecked_t num_writes;
40429 + atomic_unchecked_t num_reads;
40430 + atomic_unchecked_t num_flushes;
40431 + atomic_unchecked_t num_oplock_brks;
40432 + atomic_unchecked_t num_opens;
40433 + atomic_unchecked_t num_closes;
40434 + atomic_unchecked_t num_deletes;
40435 + atomic_unchecked_t num_mkdirs;
40436 + atomic_unchecked_t num_posixopens;
40437 + atomic_unchecked_t num_posixmkdirs;
40438 + atomic_unchecked_t num_rmdirs;
40439 + atomic_unchecked_t num_renames;
40440 + atomic_unchecked_t num_t2renames;
40441 + atomic_unchecked_t num_ffirst;
40442 + atomic_unchecked_t num_fnext;
40443 + atomic_unchecked_t num_fclose;
40444 + atomic_unchecked_t num_hardlinks;
40445 + atomic_unchecked_t num_symlinks;
40446 + atomic_unchecked_t num_locks;
40447 + atomic_unchecked_t num_acl_get;
40448 + atomic_unchecked_t num_acl_set;
40449 #ifdef CONFIG_CIFS_STATS2
40450 unsigned long long time_writes;
40451 unsigned long long time_reads;
40452 @@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
40455 #ifdef CONFIG_CIFS_STATS
40456 -#define cifs_stats_inc atomic_inc
40457 +#define cifs_stats_inc atomic_inc_unchecked
40459 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
40460 unsigned int bytes)
40461 diff -urNp linux-2.6.32.43/fs/cifs/link.c linux-2.6.32.43/fs/cifs/link.c
40462 --- linux-2.6.32.43/fs/cifs/link.c 2011-03-27 14:31:47.000000000 -0400
40463 +++ linux-2.6.32.43/fs/cifs/link.c 2011-04-17 15:56:46.000000000 -0400
40464 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
40466 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
40468 - char *p = nd_get_link(nd);
40469 + const char *p = nd_get_link(nd);
40473 diff -urNp linux-2.6.32.43/fs/coda/cache.c linux-2.6.32.43/fs/coda/cache.c
40474 --- linux-2.6.32.43/fs/coda/cache.c 2011-03-27 14:31:47.000000000 -0400
40475 +++ linux-2.6.32.43/fs/coda/cache.c 2011-05-04 17:56:28.000000000 -0400
40476 @@ -24,14 +24,14 @@
40477 #include <linux/coda_fs_i.h>
40478 #include <linux/coda_cache.h>
40480 -static atomic_t permission_epoch = ATOMIC_INIT(0);
40481 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
40483 /* replace or extend an acl cache hit */
40484 void coda_cache_enter(struct inode *inode, int mask)
40486 struct coda_inode_info *cii = ITOC(inode);
40488 - cii->c_cached_epoch = atomic_read(&permission_epoch);
40489 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
40490 if (cii->c_uid != current_fsuid()) {
40491 cii->c_uid = current_fsuid();
40492 cii->c_cached_perm = mask;
40493 @@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
40494 void coda_cache_clear_inode(struct inode *inode)
40496 struct coda_inode_info *cii = ITOC(inode);
40497 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
40498 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
40501 /* remove all acl caches */
40502 void coda_cache_clear_all(struct super_block *sb)
40504 - atomic_inc(&permission_epoch);
40505 + atomic_inc_unchecked(&permission_epoch);
40509 @@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
40511 hit = (mask & cii->c_cached_perm) == mask &&
40512 cii->c_uid == current_fsuid() &&
40513 - cii->c_cached_epoch == atomic_read(&permission_epoch);
40514 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
40518 diff -urNp linux-2.6.32.43/fs/compat_binfmt_elf.c linux-2.6.32.43/fs/compat_binfmt_elf.c
40519 --- linux-2.6.32.43/fs/compat_binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
40520 +++ linux-2.6.32.43/fs/compat_binfmt_elf.c 2011-04-17 15:56:46.000000000 -0400
40521 @@ -29,10 +29,12 @@
40527 #define elfhdr elf32_hdr
40528 #define elf_phdr elf32_phdr
40529 #define elf_note elf32_note
40530 +#define elf_dyn Elf32_Dyn
40531 #define elf_addr_t Elf32_Addr
40534 diff -urNp linux-2.6.32.43/fs/compat.c linux-2.6.32.43/fs/compat.c
40535 --- linux-2.6.32.43/fs/compat.c 2011-04-17 17:00:52.000000000 -0400
40536 +++ linux-2.6.32.43/fs/compat.c 2011-05-16 21:46:57.000000000 -0400
40537 @@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
40539 struct compat_readdir_callback {
40540 struct compat_old_linux_dirent __user *dirent;
40541 + struct file * file;
40545 @@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
40546 buf->result = -EOVERFLOW;
40550 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40554 dirent = buf->dirent;
40555 if (!access_ok(VERIFY_WRITE, dirent,
40556 @@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
40559 buf.dirent = dirent;
40562 error = vfs_readdir(file, compat_fillonedir, &buf);
40564 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
40565 struct compat_getdents_callback {
40566 struct compat_linux_dirent __user *current_dir;
40567 struct compat_linux_dirent __user *previous;
40568 + struct file * file;
40572 @@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
40573 buf->error = -EOVERFLOW;
40577 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40580 dirent = buf->previous;
40582 if (__put_user(offset, &dirent->d_off))
40583 @@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
40584 buf.previous = NULL;
40589 error = vfs_readdir(file, compat_filldir, &buf);
40591 @@ -987,6 +999,7 @@ out:
40592 struct compat_getdents_callback64 {
40593 struct linux_dirent64 __user *current_dir;
40594 struct linux_dirent64 __user *previous;
40595 + struct file * file;
40599 @@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
40600 buf->error = -EINVAL; /* only used if we fail.. */
40601 if (reclen > buf->count)
40604 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
40607 dirent = buf->previous;
40610 @@ -1054,6 +1071,7 @@ asmlinkage long compat_sys_getdents64(un
40611 buf.previous = NULL;
40616 error = vfs_readdir(file, compat_filldir64, &buf);
40618 @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
40619 * verify all the pointers
40622 - if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
40623 + if (nr_segs > UIO_MAXIOV)
40627 @@ -1463,6 +1481,11 @@ int compat_do_execve(char * filename,
40628 compat_uptr_t __user *envp,
40629 struct pt_regs * regs)
40631 +#ifdef CONFIG_GRKERNSEC
40632 + struct file *old_exec_file;
40633 + struct acl_subject_label *old_acl;
40634 + struct rlimit old_rlim[RLIM_NLIMITS];
40636 struct linux_binprm *bprm;
40638 struct files_struct *displaced;
40639 @@ -1499,6 +1522,19 @@ int compat_do_execve(char * filename,
40640 bprm->filename = filename;
40641 bprm->interp = filename;
40643 + if (gr_process_user_ban()) {
40648 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
40649 + retval = -EAGAIN;
40650 + if (gr_handle_nproc())
40652 + retval = -EACCES;
40653 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
40656 retval = bprm_mm_init(bprm);
40659 @@ -1528,9 +1564,40 @@ int compat_do_execve(char * filename,
40663 + if (!gr_tpe_allow(file)) {
40664 + retval = -EACCES;
40668 + if (gr_check_crash_exec(file)) {
40669 + retval = -EACCES;
40673 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
40675 + gr_handle_exec_args_compat(bprm, argv);
40677 +#ifdef CONFIG_GRKERNSEC
40678 + old_acl = current->acl;
40679 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
40680 + old_exec_file = current->exec_file;
40682 + current->exec_file = file;
40685 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
40686 + bprm->unsafe & LSM_UNSAFE_SHARE);
40690 retval = search_binary_handler(bprm, regs);
40694 +#ifdef CONFIG_GRKERNSEC
40695 + if (old_exec_file)
40696 + fput(old_exec_file);
40699 /* execve succeeded */
40700 current->fs->in_exec = 0;
40701 @@ -1541,6 +1608,14 @@ int compat_do_execve(char * filename,
40702 put_files_struct(displaced);
40706 +#ifdef CONFIG_GRKERNSEC
40707 + current->acl = old_acl;
40708 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
40709 + fput(current->exec_file);
40710 + current->exec_file = old_exec_file;
40715 acct_arg_size(bprm, 0);
40716 @@ -1711,6 +1786,8 @@ int compat_core_sys_select(int n, compat
40717 struct fdtable *fdt;
40718 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
40720 + pax_track_stack();
40725 diff -urNp linux-2.6.32.43/fs/compat_ioctl.c linux-2.6.32.43/fs/compat_ioctl.c
40726 --- linux-2.6.32.43/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
40727 +++ linux-2.6.32.43/fs/compat_ioctl.c 2011-04-23 12:56:11.000000000 -0400
40728 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
40729 up = (struct compat_video_spu_palette __user *) arg;
40730 err = get_user(palp, &up->palette);
40731 err |= get_user(length, &up->length);
40735 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
40736 err = put_user(compat_ptr(palp), &up_native->palette);
40737 diff -urNp linux-2.6.32.43/fs/configfs/dir.c linux-2.6.32.43/fs/configfs/dir.c
40738 --- linux-2.6.32.43/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400
40739 +++ linux-2.6.32.43/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400
40740 @@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
40742 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
40743 struct configfs_dirent *next;
40744 - const char * name;
40745 + const unsigned char * name;
40746 + char d_name[sizeof(next->s_dentry->d_iname)];
40749 next = list_entry(p, struct configfs_dirent,
40750 @@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
40753 name = configfs_get_name(next);
40754 - len = strlen(name);
40755 + if (next->s_dentry && name == next->s_dentry->d_iname) {
40756 + len = next->s_dentry->d_name.len;
40757 + memcpy(d_name, name, len);
40760 + len = strlen(name);
40761 if (next->s_dentry)
40762 ino = next->s_dentry->d_inode->i_ino;
40764 diff -urNp linux-2.6.32.43/fs/dcache.c linux-2.6.32.43/fs/dcache.c
40765 --- linux-2.6.32.43/fs/dcache.c 2011-03-27 14:31:47.000000000 -0400
40766 +++ linux-2.6.32.43/fs/dcache.c 2011-04-23 13:32:21.000000000 -0400
40767 @@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
40769 static struct kmem_cache *dentry_cache __read_mostly;
40771 -#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
40774 * This is the single most critical data structure when it comes
40775 * to the dcache: the hashtable for lookups. Somebody should try
40776 @@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
40777 mempages -= reserve;
40779 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
40780 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
40781 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
40785 diff -urNp linux-2.6.32.43/fs/dlm/lockspace.c linux-2.6.32.43/fs/dlm/lockspace.c
40786 --- linux-2.6.32.43/fs/dlm/lockspace.c 2011-03-27 14:31:47.000000000 -0400
40787 +++ linux-2.6.32.43/fs/dlm/lockspace.c 2011-04-17 15:56:46.000000000 -0400
40788 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
40792 -static struct sysfs_ops dlm_attr_ops = {
40793 +static const struct sysfs_ops dlm_attr_ops = {
40794 .show = dlm_attr_show,
40795 .store = dlm_attr_store,
40797 diff -urNp linux-2.6.32.43/fs/ecryptfs/inode.c linux-2.6.32.43/fs/ecryptfs/inode.c
40798 --- linux-2.6.32.43/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400
40799 +++ linux-2.6.32.43/fs/ecryptfs/inode.c 2011-04-17 15:56:46.000000000 -0400
40800 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
40803 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
40804 - (char __user *)lower_buf,
40805 + (__force char __user *)lower_buf,
40809 @@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
40813 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
40814 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
40818 diff -urNp linux-2.6.32.43/fs/exec.c linux-2.6.32.43/fs/exec.c
40819 --- linux-2.6.32.43/fs/exec.c 2011-06-25 12:55:34.000000000 -0400
40820 +++ linux-2.6.32.43/fs/exec.c 2011-07-06 19:53:33.000000000 -0400
40821 @@ -56,12 +56,24 @@
40822 #include <linux/fsnotify.h>
40823 #include <linux/fs_struct.h>
40824 #include <linux/pipe_fs_i.h>
40825 +#include <linux/random.h>
40826 +#include <linux/seq_file.h>
40828 +#ifdef CONFIG_PAX_REFCOUNT
40829 +#include <linux/kallsyms.h>
40830 +#include <linux/kdebug.h>
40833 #include <asm/uaccess.h>
40834 #include <asm/mmu_context.h>
40835 #include <asm/tlb.h>
40836 #include "internal.h"
40838 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
40839 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
40840 +EXPORT_SYMBOL(pax_set_initial_flags_func);
40844 char core_pattern[CORENAME_MAX_SIZE] = "core";
40845 unsigned int core_pipe_limit;
40846 @@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
40849 file = do_filp_open(AT_FDCWD, tmp,
40850 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
40851 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
40852 MAY_READ | MAY_EXEC | MAY_OPEN);
40854 error = PTR_ERR(file);
40855 @@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
40861 -#ifdef CONFIG_STACK_GROWSUP
40863 - ret = expand_stack_downwards(bprm->vma, pos);
40868 - ret = get_user_pages(current, bprm->mm, pos,
40869 - 1, write, 1, &page, NULL);
40871 + if (0 > expand_stack_downwards(bprm->vma, pos))
40873 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
40877 @@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
40878 vma->vm_end = STACK_TOP_MAX;
40879 vma->vm_start = vma->vm_end - PAGE_SIZE;
40880 vma->vm_flags = VM_STACK_FLAGS;
40882 +#ifdef CONFIG_PAX_SEGMEXEC
40883 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
40886 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
40888 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
40889 @@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
40890 mm->stack_vm = mm->total_vm = 1;
40891 up_write(&mm->mmap_sem);
40892 bprm->p = vma->vm_end - sizeof(void *);
40894 +#ifdef CONFIG_PAX_RANDUSTACK
40895 + if (randomize_va_space)
40896 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
40901 up_write(&mm->mmap_sem);
40902 @@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
40904 mm_segment_t oldfs = get_fs();
40906 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
40907 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
40911 @@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
40912 unsigned long new_end = old_end - shift;
40913 struct mmu_gather *tlb;
40915 - BUG_ON(new_start > new_end);
40916 + if (new_start >= new_end || new_start < mmap_min_addr)
40920 * ensure there are no vmas between where we want to go
40921 @@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
40922 if (vma != find_vma(mm, new_start))
40925 +#ifdef CONFIG_PAX_SEGMEXEC
40926 + BUG_ON(pax_find_mirror_vma(vma));
40930 * cover the whole range: [new_start, old_end)
40932 @@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
40933 stack_top = arch_align_stack(stack_top);
40934 stack_top = PAGE_ALIGN(stack_top);
40936 - if (unlikely(stack_top < mmap_min_addr) ||
40937 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
40940 stack_shift = vma->vm_end - stack_top;
40942 bprm->p -= stack_shift;
40943 @@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
40944 bprm->exec -= stack_shift;
40946 down_write(&mm->mmap_sem);
40948 + /* Move stack pages down in memory. */
40949 + if (stack_shift) {
40950 + ret = shift_arg_pages(vma, stack_shift);
40955 vm_flags = VM_STACK_FLAGS;
40958 @@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
40959 vm_flags &= ~VM_EXEC;
40960 vm_flags |= mm->def_flags;
40962 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
40963 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
40964 + vm_flags &= ~VM_EXEC;
40966 +#ifdef CONFIG_PAX_MPROTECT
40967 + if (mm->pax_flags & MF_PAX_MPROTECT)
40968 + vm_flags &= ~VM_MAYEXEC;
40974 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
40978 BUG_ON(prev != vma);
40980 - /* Move stack pages down in memory. */
40981 - if (stack_shift) {
40982 - ret = shift_arg_pages(vma, stack_shift);
40987 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
40988 stack_size = vma->vm_end - vma->vm_start;
40990 @@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
40993 file = do_filp_open(AT_FDCWD, name,
40994 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
40995 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
40996 MAY_EXEC | MAY_OPEN);
40999 @@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
41002 /* The cast to a user pointer is valid due to the set_fs() */
41003 - result = vfs_read(file, (void __user *)addr, count, &pos);
41004 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
41008 @@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
41012 - if (p->fs->users > n_fs) {
41013 + if (atomic_read(&p->fs->users) > n_fs) {
41014 bprm->unsafe |= LSM_UNSAFE_SHARE;
41017 @@ -1347,6 +1376,11 @@ int do_execve(char * filename,
41018 char __user *__user *envp,
41019 struct pt_regs * regs)
41021 +#ifdef CONFIG_GRKERNSEC
41022 + struct file *old_exec_file;
41023 + struct acl_subject_label *old_acl;
41024 + struct rlimit old_rlim[RLIM_NLIMITS];
41026 struct linux_binprm *bprm;
41028 struct files_struct *displaced;
41029 @@ -1383,6 +1417,23 @@ int do_execve(char * filename,
41030 bprm->filename = filename;
41031 bprm->interp = filename;
41033 + if (gr_process_user_ban()) {
41038 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
41040 + if (gr_handle_nproc()) {
41041 + retval = -EAGAIN;
41045 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
41046 + retval = -EACCES;
41050 retval = bprm_mm_init(bprm);
41053 @@ -1412,10 +1463,41 @@ int do_execve(char * filename,
41057 + if (!gr_tpe_allow(file)) {
41058 + retval = -EACCES;
41062 + if (gr_check_crash_exec(file)) {
41063 + retval = -EACCES;
41067 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
41069 + gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
41071 +#ifdef CONFIG_GRKERNSEC
41072 + old_acl = current->acl;
41073 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
41074 + old_exec_file = current->exec_file;
41076 + current->exec_file = file;
41079 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
41080 + bprm->unsafe & LSM_UNSAFE_SHARE);
41084 current->flags &= ~PF_KTHREAD;
41085 retval = search_binary_handler(bprm,regs);
41089 +#ifdef CONFIG_GRKERNSEC
41090 + if (old_exec_file)
41091 + fput(old_exec_file);
41094 /* execve succeeded */
41095 current->fs->in_exec = 0;
41096 @@ -1426,6 +1508,14 @@ int do_execve(char * filename,
41097 put_files_struct(displaced);
41101 +#ifdef CONFIG_GRKERNSEC
41102 + current->acl = old_acl;
41103 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
41104 + fput(current->exec_file);
41105 + current->exec_file = old_exec_file;
41110 acct_arg_size(bprm, 0);
41111 @@ -1591,6 +1681,220 @@ out:
41115 +int pax_check_flags(unsigned long *flags)
41119 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
41120 + if (*flags & MF_PAX_SEGMEXEC)
41122 + *flags &= ~MF_PAX_SEGMEXEC;
41123 + retval = -EINVAL;
41127 + if ((*flags & MF_PAX_PAGEEXEC)
41129 +#ifdef CONFIG_PAX_PAGEEXEC
41130 + && (*flags & MF_PAX_SEGMEXEC)
41135 + *flags &= ~MF_PAX_PAGEEXEC;
41136 + retval = -EINVAL;
41139 + if ((*flags & MF_PAX_MPROTECT)
41141 +#ifdef CONFIG_PAX_MPROTECT
41142 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41147 + *flags &= ~MF_PAX_MPROTECT;
41148 + retval = -EINVAL;
41151 + if ((*flags & MF_PAX_EMUTRAMP)
41153 +#ifdef CONFIG_PAX_EMUTRAMP
41154 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
41159 + *flags &= ~MF_PAX_EMUTRAMP;
41160 + retval = -EINVAL;
41166 +EXPORT_SYMBOL(pax_check_flags);
41168 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41169 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
41171 + struct task_struct *tsk = current;
41172 + struct mm_struct *mm = current->mm;
41173 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
41174 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
41175 + char *path_exec = NULL;
41176 + char *path_fault = NULL;
41177 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
41179 + if (buffer_exec && buffer_fault) {
41180 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
41182 + down_read(&mm->mmap_sem);
41184 + while (vma && (!vma_exec || !vma_fault)) {
41185 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
41187 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
41189 + vma = vma->vm_next;
41192 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
41193 + if (IS_ERR(path_exec))
41194 + path_exec = "<path too long>";
41196 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
41199 + path_exec = buffer_exec;
41201 + path_exec = "<path too long>";
41205 + start = vma_fault->vm_start;
41206 + end = vma_fault->vm_end;
41207 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
41208 + if (vma_fault->vm_file) {
41209 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
41210 + if (IS_ERR(path_fault))
41211 + path_fault = "<path too long>";
41213 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
41214 + if (path_fault) {
41216 + path_fault = buffer_fault;
41218 + path_fault = "<path too long>";
41221 + path_fault = "<anonymous mapping>";
41223 + up_read(&mm->mmap_sem);
41225 + if (tsk->signal->curr_ip)
41226 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
41228 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
41229 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
41230 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
41231 + task_uid(tsk), task_euid(tsk), pc, sp);
41232 + free_page((unsigned long)buffer_exec);
41233 + free_page((unsigned long)buffer_fault);
41234 + pax_report_insns(pc, sp);
41235 + do_coredump(SIGKILL, SIGKILL, regs);
41239 +#ifdef CONFIG_PAX_REFCOUNT
41240 +void pax_report_refcount_overflow(struct pt_regs *regs)
41242 + if (current->signal->curr_ip)
41243 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41244 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
41246 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
41247 + current->comm, task_pid_nr(current), current_uid(), current_euid());
41248 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
41250 + force_sig_specific(SIGKILL, current);
41254 +#ifdef CONFIG_PAX_USERCOPY
41255 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
41256 +int object_is_on_stack(const void *obj, unsigned long len)
41258 + const void * const stack = task_stack_page(current);
41259 + const void * const stackend = stack + THREAD_SIZE;
41261 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41262 + const void *frame = NULL;
41263 + const void *oldframe;
41266 + if (obj + len < obj)
41269 + if (obj + len <= stack || stackend <= obj)
41272 + if (obj < stack || stackend < obj + len)
41275 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
41276 + oldframe = __builtin_frame_address(1);
41278 + frame = __builtin_frame_address(2);
41280 + low ----------------------------------------------> high
41281 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
41282 + ^----------------^
41283 + allow copies only within here
41285 + while (stack <= frame && frame < stackend) {
41286 + /* if obj + len extends past the last frame, this
41287 + check won't pass and the next frame will be 0,
41288 + causing us to bail out and correctly report
41289 + the copy as invalid
41291 + if (obj + len <= frame)
41292 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
41293 + oldframe = frame;
41294 + frame = *(const void * const *)frame;
41303 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
41305 + if (current->signal->curr_ip)
41306 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41307 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41309 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
41310 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
41313 + gr_handle_kernel_exploit();
41314 + do_group_exit(SIGKILL);
41318 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
41319 +void pax_track_stack(void)
41321 + unsigned long sp = (unsigned long)&sp;
41322 + if (sp < current_thread_info()->lowest_stack &&
41323 + sp > (unsigned long)task_stack_page(current))
41324 + current_thread_info()->lowest_stack = sp;
41326 +EXPORT_SYMBOL(pax_track_stack);
41329 static int zap_process(struct task_struct *start)
41331 struct task_struct *t;
41332 @@ -1793,17 +2097,17 @@ static void wait_for_dump_helpers(struct
41333 pipe = file->f_path.dentry->d_inode->i_pipe;
41338 + atomic_inc(&pipe->readers);
41339 + atomic_dec(&pipe->writers);
41341 - while ((pipe->readers > 1) && (!signal_pending(current))) {
41342 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
41343 wake_up_interruptible_sync(&pipe->wait);
41344 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41350 + atomic_dec(&pipe->readers);
41351 + atomic_inc(&pipe->writers);
41355 @@ -1826,10 +2130,13 @@ void do_coredump(long signr, int exit_co
41356 char **helper_argv = NULL;
41357 int helper_argc = 0;
41358 int dump_count = 0;
41359 - static atomic_t core_dump_count = ATOMIC_INIT(0);
41360 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
41362 audit_core_dumps(signr);
41364 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
41365 + gr_handle_brute_attach(current, mm->flags);
41367 binfmt = mm->binfmt;
41368 if (!binfmt || !binfmt->core_dump)
41370 @@ -1874,6 +2181,8 @@ void do_coredump(long signr, int exit_co
41372 clear_thread_flag(TIF_SIGPENDING);
41374 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
41377 * lock_kernel() because format_corename() is controlled by sysctl, which
41378 * uses lock_kernel()
41379 @@ -1908,7 +2217,7 @@ void do_coredump(long signr, int exit_co
41383 - dump_count = atomic_inc_return(&core_dump_count);
41384 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
41385 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
41386 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
41387 task_tgid_vnr(current), current->comm);
41388 @@ -1972,7 +2281,7 @@ close_fail:
41389 filp_close(file, NULL);
41392 - atomic_dec(&core_dump_count);
41393 + atomic_dec_unchecked(&core_dump_count);
41396 argv_free(helper_argv);
41397 diff -urNp linux-2.6.32.43/fs/ext2/balloc.c linux-2.6.32.43/fs/ext2/balloc.c
41398 --- linux-2.6.32.43/fs/ext2/balloc.c 2011-03-27 14:31:47.000000000 -0400
41399 +++ linux-2.6.32.43/fs/ext2/balloc.c 2011-04-17 15:56:46.000000000 -0400
41400 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
41402 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
41403 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
41404 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
41405 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
41406 sbi->s_resuid != current_fsuid() &&
41407 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
41409 diff -urNp linux-2.6.32.43/fs/ext3/balloc.c linux-2.6.32.43/fs/ext3/balloc.c
41410 --- linux-2.6.32.43/fs/ext3/balloc.c 2011-03-27 14:31:47.000000000 -0400
41411 +++ linux-2.6.32.43/fs/ext3/balloc.c 2011-04-17 15:56:46.000000000 -0400
41412 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
41414 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
41415 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
41416 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
41417 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
41418 sbi->s_resuid != current_fsuid() &&
41419 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
41421 diff -urNp linux-2.6.32.43/fs/ext4/balloc.c linux-2.6.32.43/fs/ext4/balloc.c
41422 --- linux-2.6.32.43/fs/ext4/balloc.c 2011-03-27 14:31:47.000000000 -0400
41423 +++ linux-2.6.32.43/fs/ext4/balloc.c 2011-04-17 15:56:46.000000000 -0400
41424 @@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
41425 /* Hm, nope. Are (enough) root reserved blocks available? */
41426 if (sbi->s_resuid == current_fsuid() ||
41427 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
41428 - capable(CAP_SYS_RESOURCE)) {
41429 + capable_nolog(CAP_SYS_RESOURCE)) {
41430 if (free_blocks >= (nblocks + dirty_blocks))
41433 diff -urNp linux-2.6.32.43/fs/ext4/ext4.h linux-2.6.32.43/fs/ext4/ext4.h
41434 --- linux-2.6.32.43/fs/ext4/ext4.h 2011-03-27 14:31:47.000000000 -0400
41435 +++ linux-2.6.32.43/fs/ext4/ext4.h 2011-04-17 15:56:46.000000000 -0400
41436 @@ -1078,19 +1078,19 @@ struct ext4_sb_info {
41438 /* stats for buddy allocator */
41439 spinlock_t s_mb_pa_lock;
41440 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
41441 - atomic_t s_bal_success; /* we found long enough chunks */
41442 - atomic_t s_bal_allocated; /* in blocks */
41443 - atomic_t s_bal_ex_scanned; /* total extents scanned */
41444 - atomic_t s_bal_goals; /* goal hits */
41445 - atomic_t s_bal_breaks; /* too long searches */
41446 - atomic_t s_bal_2orders; /* 2^order hits */
41447 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
41448 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
41449 + atomic_unchecked_t s_bal_allocated; /* in blocks */
41450 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
41451 + atomic_unchecked_t s_bal_goals; /* goal hits */
41452 + atomic_unchecked_t s_bal_breaks; /* too long searches */
41453 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
41454 spinlock_t s_bal_lock;
41455 unsigned long s_mb_buddies_generated;
41456 unsigned long long s_mb_generation_time;
41457 - atomic_t s_mb_lost_chunks;
41458 - atomic_t s_mb_preallocated;
41459 - atomic_t s_mb_discarded;
41460 + atomic_unchecked_t s_mb_lost_chunks;
41461 + atomic_unchecked_t s_mb_preallocated;
41462 + atomic_unchecked_t s_mb_discarded;
41463 atomic_t s_lock_busy;
41465 /* locality groups */
41466 diff -urNp linux-2.6.32.43/fs/ext4/mballoc.c linux-2.6.32.43/fs/ext4/mballoc.c
41467 --- linux-2.6.32.43/fs/ext4/mballoc.c 2011-06-25 12:55:34.000000000 -0400
41468 +++ linux-2.6.32.43/fs/ext4/mballoc.c 2011-06-25 12:56:37.000000000 -0400
41469 @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
41470 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
41472 if (EXT4_SB(sb)->s_mb_stats)
41473 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
41474 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
41478 @@ -2131,7 +2131,7 @@ repeat:
41479 ac->ac_status = AC_STATUS_CONTINUE;
41480 ac->ac_flags |= EXT4_MB_HINT_FIRST;
41482 - atomic_inc(&sbi->s_mb_lost_chunks);
41483 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
41487 @@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
41488 ext4_grpblk_t counters[16];
41491 + pax_track_stack();
41495 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
41496 @@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
41497 if (sbi->s_mb_stats) {
41499 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
41500 - atomic_read(&sbi->s_bal_allocated),
41501 - atomic_read(&sbi->s_bal_reqs),
41502 - atomic_read(&sbi->s_bal_success));
41503 + atomic_read_unchecked(&sbi->s_bal_allocated),
41504 + atomic_read_unchecked(&sbi->s_bal_reqs),
41505 + atomic_read_unchecked(&sbi->s_bal_success));
41507 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
41508 "%u 2^N hits, %u breaks, %u lost\n",
41509 - atomic_read(&sbi->s_bal_ex_scanned),
41510 - atomic_read(&sbi->s_bal_goals),
41511 - atomic_read(&sbi->s_bal_2orders),
41512 - atomic_read(&sbi->s_bal_breaks),
41513 - atomic_read(&sbi->s_mb_lost_chunks));
41514 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
41515 + atomic_read_unchecked(&sbi->s_bal_goals),
41516 + atomic_read_unchecked(&sbi->s_bal_2orders),
41517 + atomic_read_unchecked(&sbi->s_bal_breaks),
41518 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
41520 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
41521 sbi->s_mb_buddies_generated++,
41522 sbi->s_mb_generation_time);
41524 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
41525 - atomic_read(&sbi->s_mb_preallocated),
41526 - atomic_read(&sbi->s_mb_discarded));
41527 + atomic_read_unchecked(&sbi->s_mb_preallocated),
41528 + atomic_read_unchecked(&sbi->s_mb_discarded));
41531 free_percpu(sbi->s_locality_groups);
41532 @@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
41533 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
41535 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
41536 - atomic_inc(&sbi->s_bal_reqs);
41537 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
41538 + atomic_inc_unchecked(&sbi->s_bal_reqs);
41539 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
41540 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
41541 - atomic_inc(&sbi->s_bal_success);
41542 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
41543 + atomic_inc_unchecked(&sbi->s_bal_success);
41544 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
41545 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
41546 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
41547 - atomic_inc(&sbi->s_bal_goals);
41548 + atomic_inc_unchecked(&sbi->s_bal_goals);
41549 if (ac->ac_found > sbi->s_mb_max_to_scan)
41550 - atomic_inc(&sbi->s_bal_breaks);
41551 + atomic_inc_unchecked(&sbi->s_bal_breaks);
41554 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
41555 @@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
41556 trace_ext4_mb_new_inode_pa(ac, pa);
41558 ext4_mb_use_inode_pa(ac, pa);
41559 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41560 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41562 ei = EXT4_I(ac->ac_inode);
41563 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
41564 @@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
41565 trace_ext4_mb_new_group_pa(ac, pa);
41567 ext4_mb_use_group_pa(ac, pa);
41568 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41569 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
41571 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
41573 @@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
41574 * from the bitmap and continue.
41577 - atomic_add(free, &sbi->s_mb_discarded);
41578 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
41582 @@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
41583 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
41584 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
41585 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
41586 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
41587 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
41591 diff -urNp linux-2.6.32.43/fs/ext4/super.c linux-2.6.32.43/fs/ext4/super.c
41592 --- linux-2.6.32.43/fs/ext4/super.c 2011-03-27 14:31:47.000000000 -0400
41593 +++ linux-2.6.32.43/fs/ext4/super.c 2011-04-17 15:56:46.000000000 -0400
41594 @@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
41598 -static struct sysfs_ops ext4_attr_ops = {
41599 +static const struct sysfs_ops ext4_attr_ops = {
41600 .show = ext4_attr_show,
41601 .store = ext4_attr_store,
41603 diff -urNp linux-2.6.32.43/fs/fcntl.c linux-2.6.32.43/fs/fcntl.c
41604 --- linux-2.6.32.43/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400
41605 +++ linux-2.6.32.43/fs/fcntl.c 2011-04-17 15:56:46.000000000 -0400
41606 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
41610 + if (gr_handle_chroot_fowner(pid, type))
41612 + if (gr_check_protected_task_fowner(pid, type))
41615 f_modown(filp, pid, type, force);
41618 @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
41621 case F_DUPFD_CLOEXEC:
41622 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
41623 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
41625 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
41626 diff -urNp linux-2.6.32.43/fs/fifo.c linux-2.6.32.43/fs/fifo.c
41627 --- linux-2.6.32.43/fs/fifo.c 2011-03-27 14:31:47.000000000 -0400
41628 +++ linux-2.6.32.43/fs/fifo.c 2011-04-17 15:56:46.000000000 -0400
41629 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
41631 filp->f_op = &read_pipefifo_fops;
41633 - if (pipe->readers++ == 0)
41634 + if (atomic_inc_return(&pipe->readers) == 1)
41635 wake_up_partner(inode);
41637 - if (!pipe->writers) {
41638 + if (!atomic_read(&pipe->writers)) {
41639 if ((filp->f_flags & O_NONBLOCK)) {
41640 /* suppress POLLHUP until we have
41642 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
41643 * errno=ENXIO when there is no process reading the FIFO.
41646 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
41647 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
41650 filp->f_op = &write_pipefifo_fops;
41652 - if (!pipe->writers++)
41653 + if (atomic_inc_return(&pipe->writers) == 1)
41654 wake_up_partner(inode);
41656 - if (!pipe->readers) {
41657 + if (!atomic_read(&pipe->readers)) {
41658 wait_for_partner(inode, &pipe->r_counter);
41659 if (signal_pending(current))
41661 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
41663 filp->f_op = &rdwr_pipefifo_fops;
41667 + atomic_inc(&pipe->readers);
41668 + atomic_inc(&pipe->writers);
41671 - if (pipe->readers == 1 || pipe->writers == 1)
41672 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
41673 wake_up_partner(inode);
41676 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
41680 - if (!--pipe->readers)
41681 + if (atomic_dec_and_test(&pipe->readers))
41682 wake_up_interruptible(&pipe->wait);
41683 ret = -ERESTARTSYS;
41687 - if (!--pipe->writers)
41688 + if (atomic_dec_and_test(&pipe->writers))
41689 wake_up_interruptible(&pipe->wait);
41690 ret = -ERESTARTSYS;
41694 - if (!pipe->readers && !pipe->writers)
41695 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
41696 free_pipe_info(inode);
41699 diff -urNp linux-2.6.32.43/fs/file.c linux-2.6.32.43/fs/file.c
41700 --- linux-2.6.32.43/fs/file.c 2011-03-27 14:31:47.000000000 -0400
41701 +++ linux-2.6.32.43/fs/file.c 2011-04-17 15:56:46.000000000 -0400
41703 #include <linux/slab.h>
41704 #include <linux/vmalloc.h>
41705 #include <linux/file.h>
41706 +#include <linux/security.h>
41707 #include <linux/fdtable.h>
41708 #include <linux/bitops.h>
41709 #include <linux/interrupt.h>
41710 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
41711 * N.B. For clone tasks sharing a files structure, this test
41712 * will limit the total number of files that can be opened.
41715 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
41716 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
41719 diff -urNp linux-2.6.32.43/fs/filesystems.c linux-2.6.32.43/fs/filesystems.c
41720 --- linux-2.6.32.43/fs/filesystems.c 2011-03-27 14:31:47.000000000 -0400
41721 +++ linux-2.6.32.43/fs/filesystems.c 2011-04-17 15:56:46.000000000 -0400
41722 @@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
41723 int len = dot ? dot - name : strlen(name);
41725 fs = __get_fs_type(name, len);
41727 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
41728 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
41730 if (!fs && (request_module("%.*s", len, name) == 0))
41732 fs = __get_fs_type(name, len);
41734 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
41735 diff -urNp linux-2.6.32.43/fs/fscache/cookie.c linux-2.6.32.43/fs/fscache/cookie.c
41736 --- linux-2.6.32.43/fs/fscache/cookie.c 2011-03-27 14:31:47.000000000 -0400
41737 +++ linux-2.6.32.43/fs/fscache/cookie.c 2011-05-04 17:56:28.000000000 -0400
41738 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
41739 parent ? (char *) parent->def->name : "<no-parent>",
41740 def->name, netfs_data);
41742 - fscache_stat(&fscache_n_acquires);
41743 + fscache_stat_unchecked(&fscache_n_acquires);
41745 /* if there's no parent cookie, then we don't create one here either */
41747 - fscache_stat(&fscache_n_acquires_null);
41748 + fscache_stat_unchecked(&fscache_n_acquires_null);
41749 _leave(" [no parent]");
41752 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
41753 /* allocate and initialise a cookie */
41754 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
41756 - fscache_stat(&fscache_n_acquires_oom);
41757 + fscache_stat_unchecked(&fscache_n_acquires_oom);
41758 _leave(" [ENOMEM]");
41761 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
41763 switch (cookie->def->type) {
41764 case FSCACHE_COOKIE_TYPE_INDEX:
41765 - fscache_stat(&fscache_n_cookie_index);
41766 + fscache_stat_unchecked(&fscache_n_cookie_index);
41768 case FSCACHE_COOKIE_TYPE_DATAFILE:
41769 - fscache_stat(&fscache_n_cookie_data);
41770 + fscache_stat_unchecked(&fscache_n_cookie_data);
41773 - fscache_stat(&fscache_n_cookie_special);
41774 + fscache_stat_unchecked(&fscache_n_cookie_special);
41778 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
41779 if (fscache_acquire_non_index_cookie(cookie) < 0) {
41780 atomic_dec(&parent->n_children);
41781 __fscache_cookie_put(cookie);
41782 - fscache_stat(&fscache_n_acquires_nobufs);
41783 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
41789 - fscache_stat(&fscache_n_acquires_ok);
41790 + fscache_stat_unchecked(&fscache_n_acquires_ok);
41791 _leave(" = %p", cookie);
41794 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
41795 cache = fscache_select_cache_for_object(cookie->parent);
41797 up_read(&fscache_addremove_sem);
41798 - fscache_stat(&fscache_n_acquires_no_cache);
41799 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
41800 _leave(" = -ENOMEDIUM [no cache]");
41803 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
41804 object = cache->ops->alloc_object(cache, cookie);
41805 fscache_stat_d(&fscache_n_cop_alloc_object);
41806 if (IS_ERR(object)) {
41807 - fscache_stat(&fscache_n_object_no_alloc);
41808 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
41809 ret = PTR_ERR(object);
41813 - fscache_stat(&fscache_n_object_alloc);
41814 + fscache_stat_unchecked(&fscache_n_object_alloc);
41816 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
41818 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
41819 struct fscache_object *object;
41820 struct hlist_node *_p;
41822 - fscache_stat(&fscache_n_updates);
41823 + fscache_stat_unchecked(&fscache_n_updates);
41826 - fscache_stat(&fscache_n_updates_null);
41827 + fscache_stat_unchecked(&fscache_n_updates_null);
41828 _leave(" [no cookie]");
41831 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
41832 struct fscache_object *object;
41833 unsigned long event;
41835 - fscache_stat(&fscache_n_relinquishes);
41836 + fscache_stat_unchecked(&fscache_n_relinquishes);
41838 - fscache_stat(&fscache_n_relinquishes_retire);
41839 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
41842 - fscache_stat(&fscache_n_relinquishes_null);
41843 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
41844 _leave(" [no cookie]");
41847 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
41849 /* wait for the cookie to finish being instantiated (or to fail) */
41850 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
41851 - fscache_stat(&fscache_n_relinquishes_waitcrt);
41852 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
41853 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
41854 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
41856 diff -urNp linux-2.6.32.43/fs/fscache/internal.h linux-2.6.32.43/fs/fscache/internal.h
41857 --- linux-2.6.32.43/fs/fscache/internal.h 2011-03-27 14:31:47.000000000 -0400
41858 +++ linux-2.6.32.43/fs/fscache/internal.h 2011-05-04 17:56:28.000000000 -0400
41859 @@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
41860 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
41861 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
41863 -extern atomic_t fscache_n_op_pend;
41864 -extern atomic_t fscache_n_op_run;
41865 -extern atomic_t fscache_n_op_enqueue;
41866 -extern atomic_t fscache_n_op_deferred_release;
41867 -extern atomic_t fscache_n_op_release;
41868 -extern atomic_t fscache_n_op_gc;
41869 -extern atomic_t fscache_n_op_cancelled;
41870 -extern atomic_t fscache_n_op_rejected;
41872 -extern atomic_t fscache_n_attr_changed;
41873 -extern atomic_t fscache_n_attr_changed_ok;
41874 -extern atomic_t fscache_n_attr_changed_nobufs;
41875 -extern atomic_t fscache_n_attr_changed_nomem;
41876 -extern atomic_t fscache_n_attr_changed_calls;
41878 -extern atomic_t fscache_n_allocs;
41879 -extern atomic_t fscache_n_allocs_ok;
41880 -extern atomic_t fscache_n_allocs_wait;
41881 -extern atomic_t fscache_n_allocs_nobufs;
41882 -extern atomic_t fscache_n_allocs_intr;
41883 -extern atomic_t fscache_n_allocs_object_dead;
41884 -extern atomic_t fscache_n_alloc_ops;
41885 -extern atomic_t fscache_n_alloc_op_waits;
41887 -extern atomic_t fscache_n_retrievals;
41888 -extern atomic_t fscache_n_retrievals_ok;
41889 -extern atomic_t fscache_n_retrievals_wait;
41890 -extern atomic_t fscache_n_retrievals_nodata;
41891 -extern atomic_t fscache_n_retrievals_nobufs;
41892 -extern atomic_t fscache_n_retrievals_intr;
41893 -extern atomic_t fscache_n_retrievals_nomem;
41894 -extern atomic_t fscache_n_retrievals_object_dead;
41895 -extern atomic_t fscache_n_retrieval_ops;
41896 -extern atomic_t fscache_n_retrieval_op_waits;
41898 -extern atomic_t fscache_n_stores;
41899 -extern atomic_t fscache_n_stores_ok;
41900 -extern atomic_t fscache_n_stores_again;
41901 -extern atomic_t fscache_n_stores_nobufs;
41902 -extern atomic_t fscache_n_stores_oom;
41903 -extern atomic_t fscache_n_store_ops;
41904 -extern atomic_t fscache_n_store_calls;
41905 -extern atomic_t fscache_n_store_pages;
41906 -extern atomic_t fscache_n_store_radix_deletes;
41907 -extern atomic_t fscache_n_store_pages_over_limit;
41909 -extern atomic_t fscache_n_store_vmscan_not_storing;
41910 -extern atomic_t fscache_n_store_vmscan_gone;
41911 -extern atomic_t fscache_n_store_vmscan_busy;
41912 -extern atomic_t fscache_n_store_vmscan_cancelled;
41914 -extern atomic_t fscache_n_marks;
41915 -extern atomic_t fscache_n_uncaches;
41917 -extern atomic_t fscache_n_acquires;
41918 -extern atomic_t fscache_n_acquires_null;
41919 -extern atomic_t fscache_n_acquires_no_cache;
41920 -extern atomic_t fscache_n_acquires_ok;
41921 -extern atomic_t fscache_n_acquires_nobufs;
41922 -extern atomic_t fscache_n_acquires_oom;
41924 -extern atomic_t fscache_n_updates;
41925 -extern atomic_t fscache_n_updates_null;
41926 -extern atomic_t fscache_n_updates_run;
41928 -extern atomic_t fscache_n_relinquishes;
41929 -extern atomic_t fscache_n_relinquishes_null;
41930 -extern atomic_t fscache_n_relinquishes_waitcrt;
41931 -extern atomic_t fscache_n_relinquishes_retire;
41933 -extern atomic_t fscache_n_cookie_index;
41934 -extern atomic_t fscache_n_cookie_data;
41935 -extern atomic_t fscache_n_cookie_special;
41937 -extern atomic_t fscache_n_object_alloc;
41938 -extern atomic_t fscache_n_object_no_alloc;
41939 -extern atomic_t fscache_n_object_lookups;
41940 -extern atomic_t fscache_n_object_lookups_negative;
41941 -extern atomic_t fscache_n_object_lookups_positive;
41942 -extern atomic_t fscache_n_object_lookups_timed_out;
41943 -extern atomic_t fscache_n_object_created;
41944 -extern atomic_t fscache_n_object_avail;
41945 -extern atomic_t fscache_n_object_dead;
41947 -extern atomic_t fscache_n_checkaux_none;
41948 -extern atomic_t fscache_n_checkaux_okay;
41949 -extern atomic_t fscache_n_checkaux_update;
41950 -extern atomic_t fscache_n_checkaux_obsolete;
41951 +extern atomic_unchecked_t fscache_n_op_pend;
41952 +extern atomic_unchecked_t fscache_n_op_run;
41953 +extern atomic_unchecked_t fscache_n_op_enqueue;
41954 +extern atomic_unchecked_t fscache_n_op_deferred_release;
41955 +extern atomic_unchecked_t fscache_n_op_release;
41956 +extern atomic_unchecked_t fscache_n_op_gc;
41957 +extern atomic_unchecked_t fscache_n_op_cancelled;
41958 +extern atomic_unchecked_t fscache_n_op_rejected;
41960 +extern atomic_unchecked_t fscache_n_attr_changed;
41961 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
41962 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
41963 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
41964 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
41966 +extern atomic_unchecked_t fscache_n_allocs;
41967 +extern atomic_unchecked_t fscache_n_allocs_ok;
41968 +extern atomic_unchecked_t fscache_n_allocs_wait;
41969 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
41970 +extern atomic_unchecked_t fscache_n_allocs_intr;
41971 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
41972 +extern atomic_unchecked_t fscache_n_alloc_ops;
41973 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
41975 +extern atomic_unchecked_t fscache_n_retrievals;
41976 +extern atomic_unchecked_t fscache_n_retrievals_ok;
41977 +extern atomic_unchecked_t fscache_n_retrievals_wait;
41978 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
41979 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
41980 +extern atomic_unchecked_t fscache_n_retrievals_intr;
41981 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
41982 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
41983 +extern atomic_unchecked_t fscache_n_retrieval_ops;
41984 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
41986 +extern atomic_unchecked_t fscache_n_stores;
41987 +extern atomic_unchecked_t fscache_n_stores_ok;
41988 +extern atomic_unchecked_t fscache_n_stores_again;
41989 +extern atomic_unchecked_t fscache_n_stores_nobufs;
41990 +extern atomic_unchecked_t fscache_n_stores_oom;
41991 +extern atomic_unchecked_t fscache_n_store_ops;
41992 +extern atomic_unchecked_t fscache_n_store_calls;
41993 +extern atomic_unchecked_t fscache_n_store_pages;
41994 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
41995 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
41997 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
41998 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
41999 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
42000 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42002 +extern atomic_unchecked_t fscache_n_marks;
42003 +extern atomic_unchecked_t fscache_n_uncaches;
42005 +extern atomic_unchecked_t fscache_n_acquires;
42006 +extern atomic_unchecked_t fscache_n_acquires_null;
42007 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
42008 +extern atomic_unchecked_t fscache_n_acquires_ok;
42009 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
42010 +extern atomic_unchecked_t fscache_n_acquires_oom;
42012 +extern atomic_unchecked_t fscache_n_updates;
42013 +extern atomic_unchecked_t fscache_n_updates_null;
42014 +extern atomic_unchecked_t fscache_n_updates_run;
42016 +extern atomic_unchecked_t fscache_n_relinquishes;
42017 +extern atomic_unchecked_t fscache_n_relinquishes_null;
42018 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42019 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
42021 +extern atomic_unchecked_t fscache_n_cookie_index;
42022 +extern atomic_unchecked_t fscache_n_cookie_data;
42023 +extern atomic_unchecked_t fscache_n_cookie_special;
42025 +extern atomic_unchecked_t fscache_n_object_alloc;
42026 +extern atomic_unchecked_t fscache_n_object_no_alloc;
42027 +extern atomic_unchecked_t fscache_n_object_lookups;
42028 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
42029 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
42030 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
42031 +extern atomic_unchecked_t fscache_n_object_created;
42032 +extern atomic_unchecked_t fscache_n_object_avail;
42033 +extern atomic_unchecked_t fscache_n_object_dead;
42035 +extern atomic_unchecked_t fscache_n_checkaux_none;
42036 +extern atomic_unchecked_t fscache_n_checkaux_okay;
42037 +extern atomic_unchecked_t fscache_n_checkaux_update;
42038 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
42040 extern atomic_t fscache_n_cop_alloc_object;
42041 extern atomic_t fscache_n_cop_lookup_object;
42042 @@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
42046 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
42048 + atomic_inc_unchecked(stat);
42051 static inline void fscache_stat_d(atomic_t *stat)
42054 @@ -259,6 +264,7 @@ extern const struct file_operations fsca
42056 #define __fscache_stat(stat) (NULL)
42057 #define fscache_stat(stat) do {} while (0)
42058 +#define fscache_stat_unchecked(stat) do {} while (0)
42059 #define fscache_stat_d(stat) do {} while (0)
42062 diff -urNp linux-2.6.32.43/fs/fscache/object.c linux-2.6.32.43/fs/fscache/object.c
42063 --- linux-2.6.32.43/fs/fscache/object.c 2011-03-27 14:31:47.000000000 -0400
42064 +++ linux-2.6.32.43/fs/fscache/object.c 2011-05-04 17:56:28.000000000 -0400
42065 @@ -144,7 +144,7 @@ static void fscache_object_state_machine
42066 /* update the object metadata on disk */
42067 case FSCACHE_OBJECT_UPDATING:
42068 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
42069 - fscache_stat(&fscache_n_updates_run);
42070 + fscache_stat_unchecked(&fscache_n_updates_run);
42071 fscache_stat(&fscache_n_cop_update_object);
42072 object->cache->ops->update_object(object);
42073 fscache_stat_d(&fscache_n_cop_update_object);
42074 @@ -233,7 +233,7 @@ static void fscache_object_state_machine
42075 spin_lock(&object->lock);
42076 object->state = FSCACHE_OBJECT_DEAD;
42077 spin_unlock(&object->lock);
42078 - fscache_stat(&fscache_n_object_dead);
42079 + fscache_stat_unchecked(&fscache_n_object_dead);
42080 goto terminal_transit;
42082 /* handle the parent cache of this object being withdrawn from
42083 @@ -248,7 +248,7 @@ static void fscache_object_state_machine
42084 spin_lock(&object->lock);
42085 object->state = FSCACHE_OBJECT_DEAD;
42086 spin_unlock(&object->lock);
42087 - fscache_stat(&fscache_n_object_dead);
42088 + fscache_stat_unchecked(&fscache_n_object_dead);
42089 goto terminal_transit;
42091 /* complain about the object being woken up once it is
42092 @@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
42093 parent->cookie->def->name, cookie->def->name,
42094 object->cache->tag->name);
42096 - fscache_stat(&fscache_n_object_lookups);
42097 + fscache_stat_unchecked(&fscache_n_object_lookups);
42098 fscache_stat(&fscache_n_cop_lookup_object);
42099 ret = object->cache->ops->lookup_object(object);
42100 fscache_stat_d(&fscache_n_cop_lookup_object);
42101 @@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
42102 if (ret == -ETIMEDOUT) {
42103 /* probably stuck behind another object, so move this one to
42104 * the back of the queue */
42105 - fscache_stat(&fscache_n_object_lookups_timed_out);
42106 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
42107 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42110 @@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
42112 spin_lock(&object->lock);
42113 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42114 - fscache_stat(&fscache_n_object_lookups_negative);
42115 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
42117 /* transit here to allow write requests to begin stacking up
42118 * and read requests to begin returning ENODATA */
42119 @@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
42120 * result, in which case there may be data available */
42121 spin_lock(&object->lock);
42122 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
42123 - fscache_stat(&fscache_n_object_lookups_positive);
42124 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
42126 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
42128 @@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
42129 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
42131 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
42132 - fscache_stat(&fscache_n_object_created);
42133 + fscache_stat_unchecked(&fscache_n_object_created);
42135 object->state = FSCACHE_OBJECT_AVAILABLE;
42136 spin_unlock(&object->lock);
42137 @@ -633,7 +633,7 @@ static void fscache_object_available(str
42138 fscache_enqueue_dependents(object);
42140 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
42141 - fscache_stat(&fscache_n_object_avail);
42142 + fscache_stat_unchecked(&fscache_n_object_avail);
42146 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
42147 enum fscache_checkaux result;
42149 if (!object->cookie->def->check_aux) {
42150 - fscache_stat(&fscache_n_checkaux_none);
42151 + fscache_stat_unchecked(&fscache_n_checkaux_none);
42152 return FSCACHE_CHECKAUX_OKAY;
42155 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
42157 /* entry okay as is */
42158 case FSCACHE_CHECKAUX_OKAY:
42159 - fscache_stat(&fscache_n_checkaux_okay);
42160 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
42163 /* entry requires update */
42164 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
42165 - fscache_stat(&fscache_n_checkaux_update);
42166 + fscache_stat_unchecked(&fscache_n_checkaux_update);
42169 /* entry requires deletion */
42170 case FSCACHE_CHECKAUX_OBSOLETE:
42171 - fscache_stat(&fscache_n_checkaux_obsolete);
42172 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
42176 diff -urNp linux-2.6.32.43/fs/fscache/operation.c linux-2.6.32.43/fs/fscache/operation.c
42177 --- linux-2.6.32.43/fs/fscache/operation.c 2011-03-27 14:31:47.000000000 -0400
42178 +++ linux-2.6.32.43/fs/fscache/operation.c 2011-05-04 17:56:28.000000000 -0400
42180 #include <linux/seq_file.h>
42181 #include "internal.h"
42183 -atomic_t fscache_op_debug_id;
42184 +atomic_unchecked_t fscache_op_debug_id;
42185 EXPORT_SYMBOL(fscache_op_debug_id);
42188 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
42189 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
42190 ASSERTCMP(atomic_read(&op->usage), >, 0);
42192 - fscache_stat(&fscache_n_op_enqueue);
42193 + fscache_stat_unchecked(&fscache_n_op_enqueue);
42194 switch (op->flags & FSCACHE_OP_TYPE) {
42195 case FSCACHE_OP_FAST:
42196 _debug("queue fast");
42197 @@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
42198 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
42200 fscache_enqueue_operation(op);
42201 - fscache_stat(&fscache_n_op_run);
42202 + fscache_stat_unchecked(&fscache_n_op_run);
42206 @@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
42207 if (object->n_ops > 0) {
42208 atomic_inc(&op->usage);
42209 list_add_tail(&op->pend_link, &object->pending_ops);
42210 - fscache_stat(&fscache_n_op_pend);
42211 + fscache_stat_unchecked(&fscache_n_op_pend);
42212 } else if (!list_empty(&object->pending_ops)) {
42213 atomic_inc(&op->usage);
42214 list_add_tail(&op->pend_link, &object->pending_ops);
42215 - fscache_stat(&fscache_n_op_pend);
42216 + fscache_stat_unchecked(&fscache_n_op_pend);
42217 fscache_start_operations(object);
42219 ASSERTCMP(object->n_in_progress, ==, 0);
42220 @@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
42221 object->n_exclusive++; /* reads and writes must wait */
42222 atomic_inc(&op->usage);
42223 list_add_tail(&op->pend_link, &object->pending_ops);
42224 - fscache_stat(&fscache_n_op_pend);
42225 + fscache_stat_unchecked(&fscache_n_op_pend);
42228 /* not allowed to submit ops in any other state */
42229 @@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
42230 if (object->n_exclusive > 0) {
42231 atomic_inc(&op->usage);
42232 list_add_tail(&op->pend_link, &object->pending_ops);
42233 - fscache_stat(&fscache_n_op_pend);
42234 + fscache_stat_unchecked(&fscache_n_op_pend);
42235 } else if (!list_empty(&object->pending_ops)) {
42236 atomic_inc(&op->usage);
42237 list_add_tail(&op->pend_link, &object->pending_ops);
42238 - fscache_stat(&fscache_n_op_pend);
42239 + fscache_stat_unchecked(&fscache_n_op_pend);
42240 fscache_start_operations(object);
42242 ASSERTCMP(object->n_exclusive, ==, 0);
42243 @@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
42245 atomic_inc(&op->usage);
42246 list_add_tail(&op->pend_link, &object->pending_ops);
42247 - fscache_stat(&fscache_n_op_pend);
42248 + fscache_stat_unchecked(&fscache_n_op_pend);
42250 } else if (object->state == FSCACHE_OBJECT_DYING ||
42251 object->state == FSCACHE_OBJECT_LC_DYING ||
42252 object->state == FSCACHE_OBJECT_WITHDRAWING) {
42253 - fscache_stat(&fscache_n_op_rejected);
42254 + fscache_stat_unchecked(&fscache_n_op_rejected);
42256 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
42257 fscache_report_unexpected_submission(object, op, ostate);
42258 @@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
42261 if (!list_empty(&op->pend_link)) {
42262 - fscache_stat(&fscache_n_op_cancelled);
42263 + fscache_stat_unchecked(&fscache_n_op_cancelled);
42264 list_del_init(&op->pend_link);
42266 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
42267 @@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
42268 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
42271 - fscache_stat(&fscache_n_op_release);
42272 + fscache_stat_unchecked(&fscache_n_op_release);
42276 @@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
42277 * lock, and defer it otherwise */
42278 if (!spin_trylock(&object->lock)) {
42279 _debug("defer put");
42280 - fscache_stat(&fscache_n_op_deferred_release);
42281 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
42283 cache = object->cache;
42284 spin_lock(&cache->op_gc_list_lock);
42285 @@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
42287 _debug("GC DEFERRED REL OBJ%x OP%x",
42288 object->debug_id, op->debug_id);
42289 - fscache_stat(&fscache_n_op_gc);
42290 + fscache_stat_unchecked(&fscache_n_op_gc);
42292 ASSERTCMP(atomic_read(&op->usage), ==, 0);
42294 diff -urNp linux-2.6.32.43/fs/fscache/page.c linux-2.6.32.43/fs/fscache/page.c
42295 --- linux-2.6.32.43/fs/fscache/page.c 2011-03-27 14:31:47.000000000 -0400
42296 +++ linux-2.6.32.43/fs/fscache/page.c 2011-05-04 17:56:28.000000000 -0400
42297 @@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
42298 val = radix_tree_lookup(&cookie->stores, page->index);
42301 - fscache_stat(&fscache_n_store_vmscan_not_storing);
42302 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
42303 __fscache_uncache_page(cookie, page);
42306 @@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
42307 spin_unlock(&cookie->stores_lock);
42310 - fscache_stat(&fscache_n_store_vmscan_cancelled);
42311 - fscache_stat(&fscache_n_store_radix_deletes);
42312 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
42313 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42314 ASSERTCMP(xpage, ==, page);
42316 - fscache_stat(&fscache_n_store_vmscan_gone);
42317 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
42320 wake_up_bit(&cookie->flags, 0);
42321 @@ -106,7 +106,7 @@ page_busy:
42322 /* we might want to wait here, but that could deadlock the allocator as
42323 * the slow-work threads writing to the cache may all end up sleeping
42324 * on memory allocation */
42325 - fscache_stat(&fscache_n_store_vmscan_busy);
42326 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
42329 EXPORT_SYMBOL(__fscache_maybe_release_page);
42330 @@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
42331 FSCACHE_COOKIE_STORING_TAG);
42332 if (!radix_tree_tag_get(&cookie->stores, page->index,
42333 FSCACHE_COOKIE_PENDING_TAG)) {
42334 - fscache_stat(&fscache_n_store_radix_deletes);
42335 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
42336 xpage = radix_tree_delete(&cookie->stores, page->index);
42338 spin_unlock(&cookie->stores_lock);
42339 @@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
42341 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
42343 - fscache_stat(&fscache_n_attr_changed_calls);
42344 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
42346 if (fscache_object_is_active(object)) {
42347 fscache_set_op_state(op, "CallFS");
42348 @@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
42350 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42352 - fscache_stat(&fscache_n_attr_changed);
42353 + fscache_stat_unchecked(&fscache_n_attr_changed);
42355 op = kzalloc(sizeof(*op), GFP_KERNEL);
42357 - fscache_stat(&fscache_n_attr_changed_nomem);
42358 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
42359 _leave(" = -ENOMEM");
42362 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
42363 if (fscache_submit_exclusive_op(object, op) < 0)
42365 spin_unlock(&cookie->lock);
42366 - fscache_stat(&fscache_n_attr_changed_ok);
42367 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
42368 fscache_put_operation(op);
42371 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
42373 spin_unlock(&cookie->lock);
42375 - fscache_stat(&fscache_n_attr_changed_nobufs);
42376 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
42377 _leave(" = %d", -ENOBUFS);
42380 @@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
42381 /* allocate a retrieval operation and attempt to submit it */
42382 op = kzalloc(sizeof(*op), GFP_NOIO);
42384 - fscache_stat(&fscache_n_retrievals_nomem);
42385 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42389 @@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
42393 - fscache_stat(&fscache_n_retrievals_wait);
42394 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
42397 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
42398 fscache_wait_bit_interruptible,
42399 TASK_INTERRUPTIBLE) != 0) {
42400 - fscache_stat(&fscache_n_retrievals_intr);
42401 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
42402 _leave(" = -ERESTARTSYS");
42403 return -ERESTARTSYS;
42405 @@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
42407 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
42408 struct fscache_retrieval *op,
42409 - atomic_t *stat_op_waits,
42410 - atomic_t *stat_object_dead)
42411 + atomic_unchecked_t *stat_op_waits,
42412 + atomic_unchecked_t *stat_object_dead)
42416 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
42417 goto check_if_dead;
42420 - fscache_stat(stat_op_waits);
42421 + fscache_stat_unchecked(stat_op_waits);
42422 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
42423 fscache_wait_bit_interruptible,
42424 TASK_INTERRUPTIBLE) < 0) {
42425 @@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
42428 if (unlikely(fscache_object_is_dead(object))) {
42429 - fscache_stat(stat_object_dead);
42430 + fscache_stat_unchecked(stat_object_dead);
42434 @@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
42436 _enter("%p,%p,,,", cookie, page);
42438 - fscache_stat(&fscache_n_retrievals);
42439 + fscache_stat_unchecked(&fscache_n_retrievals);
42441 if (hlist_empty(&cookie->backing_objects))
42443 @@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
42444 goto nobufs_unlock;
42445 spin_unlock(&cookie->lock);
42447 - fscache_stat(&fscache_n_retrieval_ops);
42448 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
42450 /* pin the netfs read context in case we need to do the actual netfs
42451 * read because we've encountered a cache read failure */
42452 @@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
42455 if (ret == -ENOMEM)
42456 - fscache_stat(&fscache_n_retrievals_nomem);
42457 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42458 else if (ret == -ERESTARTSYS)
42459 - fscache_stat(&fscache_n_retrievals_intr);
42460 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
42461 else if (ret == -ENODATA)
42462 - fscache_stat(&fscache_n_retrievals_nodata);
42463 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
42465 - fscache_stat(&fscache_n_retrievals_nobufs);
42466 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42468 - fscache_stat(&fscache_n_retrievals_ok);
42469 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
42471 fscache_put_retrieval(op);
42472 _leave(" = %d", ret);
42473 @@ -453,7 +453,7 @@ nobufs_unlock:
42474 spin_unlock(&cookie->lock);
42477 - fscache_stat(&fscache_n_retrievals_nobufs);
42478 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42479 _leave(" = -ENOBUFS");
42482 @@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
42484 _enter("%p,,%d,,,", cookie, *nr_pages);
42486 - fscache_stat(&fscache_n_retrievals);
42487 + fscache_stat_unchecked(&fscache_n_retrievals);
42489 if (hlist_empty(&cookie->backing_objects))
42491 @@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
42492 goto nobufs_unlock;
42493 spin_unlock(&cookie->lock);
42495 - fscache_stat(&fscache_n_retrieval_ops);
42496 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
42498 /* pin the netfs read context in case we need to do the actual netfs
42499 * read because we've encountered a cache read failure */
42500 @@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
42503 if (ret == -ENOMEM)
42504 - fscache_stat(&fscache_n_retrievals_nomem);
42505 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
42506 else if (ret == -ERESTARTSYS)
42507 - fscache_stat(&fscache_n_retrievals_intr);
42508 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
42509 else if (ret == -ENODATA)
42510 - fscache_stat(&fscache_n_retrievals_nodata);
42511 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
42513 - fscache_stat(&fscache_n_retrievals_nobufs);
42514 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42516 - fscache_stat(&fscache_n_retrievals_ok);
42517 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
42519 fscache_put_retrieval(op);
42520 _leave(" = %d", ret);
42521 @@ -570,7 +570,7 @@ nobufs_unlock:
42522 spin_unlock(&cookie->lock);
42525 - fscache_stat(&fscache_n_retrievals_nobufs);
42526 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
42527 _leave(" = -ENOBUFS");
42530 @@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
42532 _enter("%p,%p,,,", cookie, page);
42534 - fscache_stat(&fscache_n_allocs);
42535 + fscache_stat_unchecked(&fscache_n_allocs);
42537 if (hlist_empty(&cookie->backing_objects))
42539 @@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
42540 goto nobufs_unlock;
42541 spin_unlock(&cookie->lock);
42543 - fscache_stat(&fscache_n_alloc_ops);
42544 + fscache_stat_unchecked(&fscache_n_alloc_ops);
42546 ret = fscache_wait_for_retrieval_activation(
42548 @@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
42551 if (ret == -ERESTARTSYS)
42552 - fscache_stat(&fscache_n_allocs_intr);
42553 + fscache_stat_unchecked(&fscache_n_allocs_intr);
42555 - fscache_stat(&fscache_n_allocs_nobufs);
42556 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
42558 - fscache_stat(&fscache_n_allocs_ok);
42559 + fscache_stat_unchecked(&fscache_n_allocs_ok);
42561 fscache_put_retrieval(op);
42562 _leave(" = %d", ret);
42563 @@ -651,7 +651,7 @@ nobufs_unlock:
42564 spin_unlock(&cookie->lock);
42567 - fscache_stat(&fscache_n_allocs_nobufs);
42568 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
42569 _leave(" = -ENOBUFS");
42572 @@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
42574 spin_lock(&cookie->stores_lock);
42576 - fscache_stat(&fscache_n_store_calls);
42577 + fscache_stat_unchecked(&fscache_n_store_calls);
42579 /* find a page to store */
42581 @@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
42583 _debug("gang %d [%lx]", n, page->index);
42584 if (page->index > op->store_limit) {
42585 - fscache_stat(&fscache_n_store_pages_over_limit);
42586 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
42590 @@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
42593 fscache_set_op_state(&op->op, "Store");
42594 - fscache_stat(&fscache_n_store_pages);
42595 + fscache_stat_unchecked(&fscache_n_store_pages);
42596 fscache_stat(&fscache_n_cop_write_page);
42597 ret = object->cache->ops->write_page(op, page);
42598 fscache_stat_d(&fscache_n_cop_write_page);
42599 @@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
42600 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42601 ASSERT(PageFsCache(page));
42603 - fscache_stat(&fscache_n_stores);
42604 + fscache_stat_unchecked(&fscache_n_stores);
42606 op = kzalloc(sizeof(*op), GFP_NOIO);
42608 @@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
42609 spin_unlock(&cookie->stores_lock);
42610 spin_unlock(&object->lock);
42612 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
42613 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
42614 op->store_limit = object->store_limit;
42616 if (fscache_submit_op(object, &op->op) < 0)
42617 @@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
42619 spin_unlock(&cookie->lock);
42620 radix_tree_preload_end();
42621 - fscache_stat(&fscache_n_store_ops);
42622 - fscache_stat(&fscache_n_stores_ok);
42623 + fscache_stat_unchecked(&fscache_n_store_ops);
42624 + fscache_stat_unchecked(&fscache_n_stores_ok);
42626 /* the slow work queue now carries its own ref on the object */
42627 fscache_put_operation(&op->op);
42628 @@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
42632 - fscache_stat(&fscache_n_stores_again);
42633 + fscache_stat_unchecked(&fscache_n_stores_again);
42635 spin_unlock(&cookie->stores_lock);
42636 spin_unlock(&object->lock);
42637 spin_unlock(&cookie->lock);
42638 radix_tree_preload_end();
42640 - fscache_stat(&fscache_n_stores_ok);
42641 + fscache_stat_unchecked(&fscache_n_stores_ok);
42645 @@ -886,14 +886,14 @@ nobufs:
42646 spin_unlock(&cookie->lock);
42647 radix_tree_preload_end();
42649 - fscache_stat(&fscache_n_stores_nobufs);
42650 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
42651 _leave(" = -ENOBUFS");
42657 - fscache_stat(&fscache_n_stores_oom);
42658 + fscache_stat_unchecked(&fscache_n_stores_oom);
42659 _leave(" = -ENOMEM");
42662 @@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
42663 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
42664 ASSERTCMP(page, !=, NULL);
42666 - fscache_stat(&fscache_n_uncaches);
42667 + fscache_stat_unchecked(&fscache_n_uncaches);
42669 /* cache withdrawal may beat us to it */
42670 if (!PageFsCache(page))
42671 @@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
42672 unsigned long loop;
42674 #ifdef CONFIG_FSCACHE_STATS
42675 - atomic_add(pagevec->nr, &fscache_n_marks);
42676 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
42679 for (loop = 0; loop < pagevec->nr; loop++) {
42680 diff -urNp linux-2.6.32.43/fs/fscache/stats.c linux-2.6.32.43/fs/fscache/stats.c
42681 --- linux-2.6.32.43/fs/fscache/stats.c 2011-03-27 14:31:47.000000000 -0400
42682 +++ linux-2.6.32.43/fs/fscache/stats.c 2011-05-04 17:56:28.000000000 -0400
42683 @@ -18,95 +18,95 @@
42685 * operation counters
42687 -atomic_t fscache_n_op_pend;
42688 -atomic_t fscache_n_op_run;
42689 -atomic_t fscache_n_op_enqueue;
42690 -atomic_t fscache_n_op_requeue;
42691 -atomic_t fscache_n_op_deferred_release;
42692 -atomic_t fscache_n_op_release;
42693 -atomic_t fscache_n_op_gc;
42694 -atomic_t fscache_n_op_cancelled;
42695 -atomic_t fscache_n_op_rejected;
42697 -atomic_t fscache_n_attr_changed;
42698 -atomic_t fscache_n_attr_changed_ok;
42699 -atomic_t fscache_n_attr_changed_nobufs;
42700 -atomic_t fscache_n_attr_changed_nomem;
42701 -atomic_t fscache_n_attr_changed_calls;
42703 -atomic_t fscache_n_allocs;
42704 -atomic_t fscache_n_allocs_ok;
42705 -atomic_t fscache_n_allocs_wait;
42706 -atomic_t fscache_n_allocs_nobufs;
42707 -atomic_t fscache_n_allocs_intr;
42708 -atomic_t fscache_n_allocs_object_dead;
42709 -atomic_t fscache_n_alloc_ops;
42710 -atomic_t fscache_n_alloc_op_waits;
42712 -atomic_t fscache_n_retrievals;
42713 -atomic_t fscache_n_retrievals_ok;
42714 -atomic_t fscache_n_retrievals_wait;
42715 -atomic_t fscache_n_retrievals_nodata;
42716 -atomic_t fscache_n_retrievals_nobufs;
42717 -atomic_t fscache_n_retrievals_intr;
42718 -atomic_t fscache_n_retrievals_nomem;
42719 -atomic_t fscache_n_retrievals_object_dead;
42720 -atomic_t fscache_n_retrieval_ops;
42721 -atomic_t fscache_n_retrieval_op_waits;
42723 -atomic_t fscache_n_stores;
42724 -atomic_t fscache_n_stores_ok;
42725 -atomic_t fscache_n_stores_again;
42726 -atomic_t fscache_n_stores_nobufs;
42727 -atomic_t fscache_n_stores_oom;
42728 -atomic_t fscache_n_store_ops;
42729 -atomic_t fscache_n_store_calls;
42730 -atomic_t fscache_n_store_pages;
42731 -atomic_t fscache_n_store_radix_deletes;
42732 -atomic_t fscache_n_store_pages_over_limit;
42734 -atomic_t fscache_n_store_vmscan_not_storing;
42735 -atomic_t fscache_n_store_vmscan_gone;
42736 -atomic_t fscache_n_store_vmscan_busy;
42737 -atomic_t fscache_n_store_vmscan_cancelled;
42739 -atomic_t fscache_n_marks;
42740 -atomic_t fscache_n_uncaches;
42742 -atomic_t fscache_n_acquires;
42743 -atomic_t fscache_n_acquires_null;
42744 -atomic_t fscache_n_acquires_no_cache;
42745 -atomic_t fscache_n_acquires_ok;
42746 -atomic_t fscache_n_acquires_nobufs;
42747 -atomic_t fscache_n_acquires_oom;
42749 -atomic_t fscache_n_updates;
42750 -atomic_t fscache_n_updates_null;
42751 -atomic_t fscache_n_updates_run;
42753 -atomic_t fscache_n_relinquishes;
42754 -atomic_t fscache_n_relinquishes_null;
42755 -atomic_t fscache_n_relinquishes_waitcrt;
42756 -atomic_t fscache_n_relinquishes_retire;
42758 -atomic_t fscache_n_cookie_index;
42759 -atomic_t fscache_n_cookie_data;
42760 -atomic_t fscache_n_cookie_special;
42762 -atomic_t fscache_n_object_alloc;
42763 -atomic_t fscache_n_object_no_alloc;
42764 -atomic_t fscache_n_object_lookups;
42765 -atomic_t fscache_n_object_lookups_negative;
42766 -atomic_t fscache_n_object_lookups_positive;
42767 -atomic_t fscache_n_object_lookups_timed_out;
42768 -atomic_t fscache_n_object_created;
42769 -atomic_t fscache_n_object_avail;
42770 -atomic_t fscache_n_object_dead;
42772 -atomic_t fscache_n_checkaux_none;
42773 -atomic_t fscache_n_checkaux_okay;
42774 -atomic_t fscache_n_checkaux_update;
42775 -atomic_t fscache_n_checkaux_obsolete;
42776 +atomic_unchecked_t fscache_n_op_pend;
42777 +atomic_unchecked_t fscache_n_op_run;
42778 +atomic_unchecked_t fscache_n_op_enqueue;
42779 +atomic_unchecked_t fscache_n_op_requeue;
42780 +atomic_unchecked_t fscache_n_op_deferred_release;
42781 +atomic_unchecked_t fscache_n_op_release;
42782 +atomic_unchecked_t fscache_n_op_gc;
42783 +atomic_unchecked_t fscache_n_op_cancelled;
42784 +atomic_unchecked_t fscache_n_op_rejected;
42786 +atomic_unchecked_t fscache_n_attr_changed;
42787 +atomic_unchecked_t fscache_n_attr_changed_ok;
42788 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
42789 +atomic_unchecked_t fscache_n_attr_changed_nomem;
42790 +atomic_unchecked_t fscache_n_attr_changed_calls;
42792 +atomic_unchecked_t fscache_n_allocs;
42793 +atomic_unchecked_t fscache_n_allocs_ok;
42794 +atomic_unchecked_t fscache_n_allocs_wait;
42795 +atomic_unchecked_t fscache_n_allocs_nobufs;
42796 +atomic_unchecked_t fscache_n_allocs_intr;
42797 +atomic_unchecked_t fscache_n_allocs_object_dead;
42798 +atomic_unchecked_t fscache_n_alloc_ops;
42799 +atomic_unchecked_t fscache_n_alloc_op_waits;
42801 +atomic_unchecked_t fscache_n_retrievals;
42802 +atomic_unchecked_t fscache_n_retrievals_ok;
42803 +atomic_unchecked_t fscache_n_retrievals_wait;
42804 +atomic_unchecked_t fscache_n_retrievals_nodata;
42805 +atomic_unchecked_t fscache_n_retrievals_nobufs;
42806 +atomic_unchecked_t fscache_n_retrievals_intr;
42807 +atomic_unchecked_t fscache_n_retrievals_nomem;
42808 +atomic_unchecked_t fscache_n_retrievals_object_dead;
42809 +atomic_unchecked_t fscache_n_retrieval_ops;
42810 +atomic_unchecked_t fscache_n_retrieval_op_waits;
42812 +atomic_unchecked_t fscache_n_stores;
42813 +atomic_unchecked_t fscache_n_stores_ok;
42814 +atomic_unchecked_t fscache_n_stores_again;
42815 +atomic_unchecked_t fscache_n_stores_nobufs;
42816 +atomic_unchecked_t fscache_n_stores_oom;
42817 +atomic_unchecked_t fscache_n_store_ops;
42818 +atomic_unchecked_t fscache_n_store_calls;
42819 +atomic_unchecked_t fscache_n_store_pages;
42820 +atomic_unchecked_t fscache_n_store_radix_deletes;
42821 +atomic_unchecked_t fscache_n_store_pages_over_limit;
42823 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
42824 +atomic_unchecked_t fscache_n_store_vmscan_gone;
42825 +atomic_unchecked_t fscache_n_store_vmscan_busy;
42826 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
42828 +atomic_unchecked_t fscache_n_marks;
42829 +atomic_unchecked_t fscache_n_uncaches;
42831 +atomic_unchecked_t fscache_n_acquires;
42832 +atomic_unchecked_t fscache_n_acquires_null;
42833 +atomic_unchecked_t fscache_n_acquires_no_cache;
42834 +atomic_unchecked_t fscache_n_acquires_ok;
42835 +atomic_unchecked_t fscache_n_acquires_nobufs;
42836 +atomic_unchecked_t fscache_n_acquires_oom;
42838 +atomic_unchecked_t fscache_n_updates;
42839 +atomic_unchecked_t fscache_n_updates_null;
42840 +atomic_unchecked_t fscache_n_updates_run;
42842 +atomic_unchecked_t fscache_n_relinquishes;
42843 +atomic_unchecked_t fscache_n_relinquishes_null;
42844 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
42845 +atomic_unchecked_t fscache_n_relinquishes_retire;
42847 +atomic_unchecked_t fscache_n_cookie_index;
42848 +atomic_unchecked_t fscache_n_cookie_data;
42849 +atomic_unchecked_t fscache_n_cookie_special;
42851 +atomic_unchecked_t fscache_n_object_alloc;
42852 +atomic_unchecked_t fscache_n_object_no_alloc;
42853 +atomic_unchecked_t fscache_n_object_lookups;
42854 +atomic_unchecked_t fscache_n_object_lookups_negative;
42855 +atomic_unchecked_t fscache_n_object_lookups_positive;
42856 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
42857 +atomic_unchecked_t fscache_n_object_created;
42858 +atomic_unchecked_t fscache_n_object_avail;
42859 +atomic_unchecked_t fscache_n_object_dead;
42861 +atomic_unchecked_t fscache_n_checkaux_none;
42862 +atomic_unchecked_t fscache_n_checkaux_okay;
42863 +atomic_unchecked_t fscache_n_checkaux_update;
42864 +atomic_unchecked_t fscache_n_checkaux_obsolete;
42866 atomic_t fscache_n_cop_alloc_object;
42867 atomic_t fscache_n_cop_lookup_object;
42868 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
42869 seq_puts(m, "FS-Cache statistics\n");
42871 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
42872 - atomic_read(&fscache_n_cookie_index),
42873 - atomic_read(&fscache_n_cookie_data),
42874 - atomic_read(&fscache_n_cookie_special));
42875 + atomic_read_unchecked(&fscache_n_cookie_index),
42876 + atomic_read_unchecked(&fscache_n_cookie_data),
42877 + atomic_read_unchecked(&fscache_n_cookie_special));
42879 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
42880 - atomic_read(&fscache_n_object_alloc),
42881 - atomic_read(&fscache_n_object_no_alloc),
42882 - atomic_read(&fscache_n_object_avail),
42883 - atomic_read(&fscache_n_object_dead));
42884 + atomic_read_unchecked(&fscache_n_object_alloc),
42885 + atomic_read_unchecked(&fscache_n_object_no_alloc),
42886 + atomic_read_unchecked(&fscache_n_object_avail),
42887 + atomic_read_unchecked(&fscache_n_object_dead));
42888 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
42889 - atomic_read(&fscache_n_checkaux_none),
42890 - atomic_read(&fscache_n_checkaux_okay),
42891 - atomic_read(&fscache_n_checkaux_update),
42892 - atomic_read(&fscache_n_checkaux_obsolete));
42893 + atomic_read_unchecked(&fscache_n_checkaux_none),
42894 + atomic_read_unchecked(&fscache_n_checkaux_okay),
42895 + atomic_read_unchecked(&fscache_n_checkaux_update),
42896 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
42898 seq_printf(m, "Pages : mrk=%u unc=%u\n",
42899 - atomic_read(&fscache_n_marks),
42900 - atomic_read(&fscache_n_uncaches));
42901 + atomic_read_unchecked(&fscache_n_marks),
42902 + atomic_read_unchecked(&fscache_n_uncaches));
42904 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
42906 - atomic_read(&fscache_n_acquires),
42907 - atomic_read(&fscache_n_acquires_null),
42908 - atomic_read(&fscache_n_acquires_no_cache),
42909 - atomic_read(&fscache_n_acquires_ok),
42910 - atomic_read(&fscache_n_acquires_nobufs),
42911 - atomic_read(&fscache_n_acquires_oom));
42912 + atomic_read_unchecked(&fscache_n_acquires),
42913 + atomic_read_unchecked(&fscache_n_acquires_null),
42914 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
42915 + atomic_read_unchecked(&fscache_n_acquires_ok),
42916 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
42917 + atomic_read_unchecked(&fscache_n_acquires_oom));
42919 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
42920 - atomic_read(&fscache_n_object_lookups),
42921 - atomic_read(&fscache_n_object_lookups_negative),
42922 - atomic_read(&fscache_n_object_lookups_positive),
42923 - atomic_read(&fscache_n_object_lookups_timed_out),
42924 - atomic_read(&fscache_n_object_created));
42925 + atomic_read_unchecked(&fscache_n_object_lookups),
42926 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
42927 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
42928 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
42929 + atomic_read_unchecked(&fscache_n_object_created));
42931 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
42932 - atomic_read(&fscache_n_updates),
42933 - atomic_read(&fscache_n_updates_null),
42934 - atomic_read(&fscache_n_updates_run));
42935 + atomic_read_unchecked(&fscache_n_updates),
42936 + atomic_read_unchecked(&fscache_n_updates_null),
42937 + atomic_read_unchecked(&fscache_n_updates_run));
42939 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
42940 - atomic_read(&fscache_n_relinquishes),
42941 - atomic_read(&fscache_n_relinquishes_null),
42942 - atomic_read(&fscache_n_relinquishes_waitcrt),
42943 - atomic_read(&fscache_n_relinquishes_retire));
42944 + atomic_read_unchecked(&fscache_n_relinquishes),
42945 + atomic_read_unchecked(&fscache_n_relinquishes_null),
42946 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
42947 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
42949 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
42950 - atomic_read(&fscache_n_attr_changed),
42951 - atomic_read(&fscache_n_attr_changed_ok),
42952 - atomic_read(&fscache_n_attr_changed_nobufs),
42953 - atomic_read(&fscache_n_attr_changed_nomem),
42954 - atomic_read(&fscache_n_attr_changed_calls));
42955 + atomic_read_unchecked(&fscache_n_attr_changed),
42956 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
42957 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
42958 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
42959 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
42961 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
42962 - atomic_read(&fscache_n_allocs),
42963 - atomic_read(&fscache_n_allocs_ok),
42964 - atomic_read(&fscache_n_allocs_wait),
42965 - atomic_read(&fscache_n_allocs_nobufs),
42966 - atomic_read(&fscache_n_allocs_intr));
42967 + atomic_read_unchecked(&fscache_n_allocs),
42968 + atomic_read_unchecked(&fscache_n_allocs_ok),
42969 + atomic_read_unchecked(&fscache_n_allocs_wait),
42970 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
42971 + atomic_read_unchecked(&fscache_n_allocs_intr));
42972 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
42973 - atomic_read(&fscache_n_alloc_ops),
42974 - atomic_read(&fscache_n_alloc_op_waits),
42975 - atomic_read(&fscache_n_allocs_object_dead));
42976 + atomic_read_unchecked(&fscache_n_alloc_ops),
42977 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
42978 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
42980 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
42981 " int=%u oom=%u\n",
42982 - atomic_read(&fscache_n_retrievals),
42983 - atomic_read(&fscache_n_retrievals_ok),
42984 - atomic_read(&fscache_n_retrievals_wait),
42985 - atomic_read(&fscache_n_retrievals_nodata),
42986 - atomic_read(&fscache_n_retrievals_nobufs),
42987 - atomic_read(&fscache_n_retrievals_intr),
42988 - atomic_read(&fscache_n_retrievals_nomem));
42989 + atomic_read_unchecked(&fscache_n_retrievals),
42990 + atomic_read_unchecked(&fscache_n_retrievals_ok),
42991 + atomic_read_unchecked(&fscache_n_retrievals_wait),
42992 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
42993 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
42994 + atomic_read_unchecked(&fscache_n_retrievals_intr),
42995 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
42996 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
42997 - atomic_read(&fscache_n_retrieval_ops),
42998 - atomic_read(&fscache_n_retrieval_op_waits),
42999 - atomic_read(&fscache_n_retrievals_object_dead));
43000 + atomic_read_unchecked(&fscache_n_retrieval_ops),
43001 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
43002 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
43004 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
43005 - atomic_read(&fscache_n_stores),
43006 - atomic_read(&fscache_n_stores_ok),
43007 - atomic_read(&fscache_n_stores_again),
43008 - atomic_read(&fscache_n_stores_nobufs),
43009 - atomic_read(&fscache_n_stores_oom));
43010 + atomic_read_unchecked(&fscache_n_stores),
43011 + atomic_read_unchecked(&fscache_n_stores_ok),
43012 + atomic_read_unchecked(&fscache_n_stores_again),
43013 + atomic_read_unchecked(&fscache_n_stores_nobufs),
43014 + atomic_read_unchecked(&fscache_n_stores_oom));
43015 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
43016 - atomic_read(&fscache_n_store_ops),
43017 - atomic_read(&fscache_n_store_calls),
43018 - atomic_read(&fscache_n_store_pages),
43019 - atomic_read(&fscache_n_store_radix_deletes),
43020 - atomic_read(&fscache_n_store_pages_over_limit));
43021 + atomic_read_unchecked(&fscache_n_store_ops),
43022 + atomic_read_unchecked(&fscache_n_store_calls),
43023 + atomic_read_unchecked(&fscache_n_store_pages),
43024 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
43025 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
43027 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
43028 - atomic_read(&fscache_n_store_vmscan_not_storing),
43029 - atomic_read(&fscache_n_store_vmscan_gone),
43030 - atomic_read(&fscache_n_store_vmscan_busy),
43031 - atomic_read(&fscache_n_store_vmscan_cancelled));
43032 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
43033 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
43034 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
43035 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
43037 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
43038 - atomic_read(&fscache_n_op_pend),
43039 - atomic_read(&fscache_n_op_run),
43040 - atomic_read(&fscache_n_op_enqueue),
43041 - atomic_read(&fscache_n_op_cancelled),
43042 - atomic_read(&fscache_n_op_rejected));
43043 + atomic_read_unchecked(&fscache_n_op_pend),
43044 + atomic_read_unchecked(&fscache_n_op_run),
43045 + atomic_read_unchecked(&fscache_n_op_enqueue),
43046 + atomic_read_unchecked(&fscache_n_op_cancelled),
43047 + atomic_read_unchecked(&fscache_n_op_rejected));
43048 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
43049 - atomic_read(&fscache_n_op_deferred_release),
43050 - atomic_read(&fscache_n_op_release),
43051 - atomic_read(&fscache_n_op_gc));
43052 + atomic_read_unchecked(&fscache_n_op_deferred_release),
43053 + atomic_read_unchecked(&fscache_n_op_release),
43054 + atomic_read_unchecked(&fscache_n_op_gc));
43056 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
43057 atomic_read(&fscache_n_cop_alloc_object),
43058 diff -urNp linux-2.6.32.43/fs/fs_struct.c linux-2.6.32.43/fs/fs_struct.c
43059 --- linux-2.6.32.43/fs/fs_struct.c 2011-03-27 14:31:47.000000000 -0400
43060 +++ linux-2.6.32.43/fs/fs_struct.c 2011-04-17 15:56:46.000000000 -0400
43062 #include <linux/path.h>
43063 #include <linux/slab.h>
43064 #include <linux/fs_struct.h>
43065 +#include <linux/grsecurity.h>
43068 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
43069 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
43070 old_root = fs->root;
43073 + gr_set_chroot_entries(current, path);
43074 write_unlock(&fs->lock);
43075 if (old_root.dentry)
43076 path_put(&old_root);
43077 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
43078 && fs->root.mnt == old_root->mnt) {
43079 path_get(new_root);
43080 fs->root = *new_root;
43081 + gr_set_chroot_entries(p, new_root);
43084 if (fs->pwd.dentry == old_root->dentry
43085 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
43087 write_lock(&fs->lock);
43089 - kill = !--fs->users;
43090 + gr_clear_chroot_entries(tsk);
43091 + kill = !atomic_dec_return(&fs->users);
43092 write_unlock(&fs->lock);
43095 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
43096 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
43097 /* We don't need to lock fs - think why ;-) */
43100 + atomic_set(&fs->users, 1);
43102 rwlock_init(&fs->lock);
43103 fs->umask = old->umask;
43104 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
43106 task_lock(current);
43107 write_lock(&fs->lock);
43108 - kill = !--fs->users;
43109 + kill = !atomic_dec_return(&fs->users);
43110 current->fs = new_fs;
43111 + gr_set_chroot_entries(current, &new_fs->root);
43112 write_unlock(&fs->lock);
43113 task_unlock(current);
43115 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
43117 /* to be mentioned only in INIT_TASK */
43118 struct fs_struct init_fs = {
43120 + .users = ATOMIC_INIT(1),
43121 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
43124 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
43125 task_lock(current);
43127 write_lock(&init_fs.lock);
43129 + atomic_inc(&init_fs.users);
43130 write_unlock(&init_fs.lock);
43132 write_lock(&fs->lock);
43133 current->fs = &init_fs;
43134 - kill = !--fs->users;
43135 + gr_set_chroot_entries(current, ¤t->fs->root);
43136 + kill = !atomic_dec_return(&fs->users);
43137 write_unlock(&fs->lock);
43139 task_unlock(current);
43140 diff -urNp linux-2.6.32.43/fs/fuse/cuse.c linux-2.6.32.43/fs/fuse/cuse.c
43141 --- linux-2.6.32.43/fs/fuse/cuse.c 2011-03-27 14:31:47.000000000 -0400
43142 +++ linux-2.6.32.43/fs/fuse/cuse.c 2011-08-05 20:33:55.000000000 -0400
43143 @@ -576,10 +576,12 @@ static int __init cuse_init(void)
43144 INIT_LIST_HEAD(&cuse_conntbl[i]);
43146 /* inherit and extend fuse_dev_operations */
43147 - cuse_channel_fops = fuse_dev_operations;
43148 - cuse_channel_fops.owner = THIS_MODULE;
43149 - cuse_channel_fops.open = cuse_channel_open;
43150 - cuse_channel_fops.release = cuse_channel_release;
43151 + pax_open_kernel();
43152 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
43153 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
43154 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
43155 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
43156 + pax_close_kernel();
43158 cuse_class = class_create(THIS_MODULE, "cuse");
43159 if (IS_ERR(cuse_class))
43160 diff -urNp linux-2.6.32.43/fs/fuse/dev.c linux-2.6.32.43/fs/fuse/dev.c
43161 --- linux-2.6.32.43/fs/fuse/dev.c 2011-03-27 14:31:47.000000000 -0400
43162 +++ linux-2.6.32.43/fs/fuse/dev.c 2011-08-05 20:33:55.000000000 -0400
43163 @@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
43165 struct fuse_notify_inval_entry_out outarg;
43167 - char buf[FUSE_NAME_MAX+1];
43168 + char *buf = NULL;
43171 if (size < sizeof(outarg))
43172 @@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
43173 if (outarg.namelen > FUSE_NAME_MAX)
43177 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
43182 name.len = outarg.namelen;
43183 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
43184 @@ -910,17 +915,15 @@ static int fuse_notify_inval_entry(struc
43186 down_read(&fc->killsb);
43191 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
43195 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
43196 up_read(&fc->killsb);
43201 fuse_copy_finish(cs);
43206 diff -urNp linux-2.6.32.43/fs/fuse/dir.c linux-2.6.32.43/fs/fuse/dir.c
43207 --- linux-2.6.32.43/fs/fuse/dir.c 2011-03-27 14:31:47.000000000 -0400
43208 +++ linux-2.6.32.43/fs/fuse/dir.c 2011-04-17 15:56:46.000000000 -0400
43209 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
43213 -static void free_link(char *link)
43214 +static void free_link(const char *link)
43217 free_page((unsigned long) link);
43218 diff -urNp linux-2.6.32.43/fs/gfs2/ops_inode.c linux-2.6.32.43/fs/gfs2/ops_inode.c
43219 --- linux-2.6.32.43/fs/gfs2/ops_inode.c 2011-03-27 14:31:47.000000000 -0400
43220 +++ linux-2.6.32.43/fs/gfs2/ops_inode.c 2011-05-16 21:46:57.000000000 -0400
43221 @@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
43225 + pax_track_stack();
43227 if (ndentry->d_inode) {
43228 nip = GFS2_I(ndentry->d_inode);
43230 diff -urNp linux-2.6.32.43/fs/gfs2/sys.c linux-2.6.32.43/fs/gfs2/sys.c
43231 --- linux-2.6.32.43/fs/gfs2/sys.c 2011-03-27 14:31:47.000000000 -0400
43232 +++ linux-2.6.32.43/fs/gfs2/sys.c 2011-04-17 15:56:46.000000000 -0400
43233 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
43234 return a->store ? a->store(sdp, buf, len) : len;
43237 -static struct sysfs_ops gfs2_attr_ops = {
43238 +static const struct sysfs_ops gfs2_attr_ops = {
43239 .show = gfs2_attr_show,
43240 .store = gfs2_attr_store,
43242 @@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
43246 -static struct kset_uevent_ops gfs2_uevent_ops = {
43247 +static const struct kset_uevent_ops gfs2_uevent_ops = {
43248 .uevent = gfs2_uevent,
43251 diff -urNp linux-2.6.32.43/fs/hfsplus/catalog.c linux-2.6.32.43/fs/hfsplus/catalog.c
43252 --- linux-2.6.32.43/fs/hfsplus/catalog.c 2011-03-27 14:31:47.000000000 -0400
43253 +++ linux-2.6.32.43/fs/hfsplus/catalog.c 2011-05-16 21:46:57.000000000 -0400
43254 @@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
43258 + pax_track_stack();
43260 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
43261 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
43263 @@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
43267 + pax_track_stack();
43269 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
43271 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
43272 @@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
43273 int entry_size, type;
43276 + pax_track_stack();
43278 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
43279 dst_dir->i_ino, dst_name->name);
43280 sb = src_dir->i_sb;
43281 diff -urNp linux-2.6.32.43/fs/hfsplus/dir.c linux-2.6.32.43/fs/hfsplus/dir.c
43282 --- linux-2.6.32.43/fs/hfsplus/dir.c 2011-03-27 14:31:47.000000000 -0400
43283 +++ linux-2.6.32.43/fs/hfsplus/dir.c 2011-05-16 21:46:57.000000000 -0400
43284 @@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
43285 struct hfsplus_readdir_data *rd;
43288 + pax_track_stack();
43290 if (filp->f_pos >= inode->i_size)
43293 diff -urNp linux-2.6.32.43/fs/hfsplus/inode.c linux-2.6.32.43/fs/hfsplus/inode.c
43294 --- linux-2.6.32.43/fs/hfsplus/inode.c 2011-03-27 14:31:47.000000000 -0400
43295 +++ linux-2.6.32.43/fs/hfsplus/inode.c 2011-05-16 21:46:57.000000000 -0400
43296 @@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
43300 + pax_track_stack();
43302 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
43304 HFSPLUS_I(inode).dev = 0;
43305 @@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
43306 struct hfs_find_data fd;
43307 hfsplus_cat_entry entry;
43309 + pax_track_stack();
43311 if (HFSPLUS_IS_RSRC(inode))
43312 main_inode = HFSPLUS_I(inode).rsrc_inode;
43314 diff -urNp linux-2.6.32.43/fs/hfsplus/ioctl.c linux-2.6.32.43/fs/hfsplus/ioctl.c
43315 --- linux-2.6.32.43/fs/hfsplus/ioctl.c 2011-03-27 14:31:47.000000000 -0400
43316 +++ linux-2.6.32.43/fs/hfsplus/ioctl.c 2011-05-16 21:46:57.000000000 -0400
43317 @@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
43318 struct hfsplus_cat_file *file;
43321 + pax_track_stack();
43323 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43324 return -EOPNOTSUPP;
43326 @@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
43327 struct hfsplus_cat_file *file;
43330 + pax_track_stack();
43332 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
43333 return -EOPNOTSUPP;
43335 diff -urNp linux-2.6.32.43/fs/hfsplus/super.c linux-2.6.32.43/fs/hfsplus/super.c
43336 --- linux-2.6.32.43/fs/hfsplus/super.c 2011-03-27 14:31:47.000000000 -0400
43337 +++ linux-2.6.32.43/fs/hfsplus/super.c 2011-05-16 21:46:57.000000000 -0400
43338 @@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
43339 struct nls_table *nls = NULL;
43342 + pax_track_stack();
43344 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
43347 diff -urNp linux-2.6.32.43/fs/hugetlbfs/inode.c linux-2.6.32.43/fs/hugetlbfs/inode.c
43348 --- linux-2.6.32.43/fs/hugetlbfs/inode.c 2011-03-27 14:31:47.000000000 -0400
43349 +++ linux-2.6.32.43/fs/hugetlbfs/inode.c 2011-04-17 15:56:46.000000000 -0400
43350 @@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
43351 .kill_sb = kill_litter_super,
43354 -static struct vfsmount *hugetlbfs_vfsmount;
43355 +struct vfsmount *hugetlbfs_vfsmount;
43357 static int can_do_hugetlb_shm(void)
43359 diff -urNp linux-2.6.32.43/fs/ioctl.c linux-2.6.32.43/fs/ioctl.c
43360 --- linux-2.6.32.43/fs/ioctl.c 2011-03-27 14:31:47.000000000 -0400
43361 +++ linux-2.6.32.43/fs/ioctl.c 2011-04-17 15:56:46.000000000 -0400
43362 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
43363 u64 phys, u64 len, u32 flags)
43365 struct fiemap_extent extent;
43366 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
43367 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
43369 /* only count the extents */
43370 if (fieinfo->fi_extents_max == 0) {
43371 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
43373 fieinfo.fi_flags = fiemap.fm_flags;
43374 fieinfo.fi_extents_max = fiemap.fm_extent_count;
43375 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
43376 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
43378 if (fiemap.fm_extent_count != 0 &&
43379 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
43380 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
43381 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
43382 fiemap.fm_flags = fieinfo.fi_flags;
43383 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
43384 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
43385 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
43389 diff -urNp linux-2.6.32.43/fs/jbd/checkpoint.c linux-2.6.32.43/fs/jbd/checkpoint.c
43390 --- linux-2.6.32.43/fs/jbd/checkpoint.c 2011-03-27 14:31:47.000000000 -0400
43391 +++ linux-2.6.32.43/fs/jbd/checkpoint.c 2011-05-16 21:46:57.000000000 -0400
43392 @@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
43396 + pax_track_stack();
43398 jbd_debug(1, "Start checkpoint\n");
43401 diff -urNp linux-2.6.32.43/fs/jffs2/compr_rtime.c linux-2.6.32.43/fs/jffs2/compr_rtime.c
43402 --- linux-2.6.32.43/fs/jffs2/compr_rtime.c 2011-03-27 14:31:47.000000000 -0400
43403 +++ linux-2.6.32.43/fs/jffs2/compr_rtime.c 2011-05-16 21:46:57.000000000 -0400
43404 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
43408 + pax_track_stack();
43410 memset(positions,0,sizeof(positions));
43412 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
43413 @@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
43417 + pax_track_stack();
43419 memset(positions,0,sizeof(positions));
43421 while (outpos<destlen) {
43422 diff -urNp linux-2.6.32.43/fs/jffs2/compr_rubin.c linux-2.6.32.43/fs/jffs2/compr_rubin.c
43423 --- linux-2.6.32.43/fs/jffs2/compr_rubin.c 2011-03-27 14:31:47.000000000 -0400
43424 +++ linux-2.6.32.43/fs/jffs2/compr_rubin.c 2011-05-16 21:46:57.000000000 -0400
43425 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
43427 uint32_t mysrclen, mydstlen;
43429 + pax_track_stack();
43431 mysrclen = *sourcelen;
43432 mydstlen = *dstlen - 8;
43434 diff -urNp linux-2.6.32.43/fs/jffs2/erase.c linux-2.6.32.43/fs/jffs2/erase.c
43435 --- linux-2.6.32.43/fs/jffs2/erase.c 2011-03-27 14:31:47.000000000 -0400
43436 +++ linux-2.6.32.43/fs/jffs2/erase.c 2011-04-17 15:56:46.000000000 -0400
43437 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
43438 struct jffs2_unknown_node marker = {
43439 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
43440 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
43441 - .totlen = cpu_to_je32(c->cleanmarker_size)
43442 + .totlen = cpu_to_je32(c->cleanmarker_size),
43443 + .hdr_crc = cpu_to_je32(0)
43446 jffs2_prealloc_raw_node_refs(c, jeb, 1);
43447 diff -urNp linux-2.6.32.43/fs/jffs2/wbuf.c linux-2.6.32.43/fs/jffs2/wbuf.c
43448 --- linux-2.6.32.43/fs/jffs2/wbuf.c 2011-03-27 14:31:47.000000000 -0400
43449 +++ linux-2.6.32.43/fs/jffs2/wbuf.c 2011-04-17 15:56:46.000000000 -0400
43450 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
43452 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
43453 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
43454 - .totlen = constant_cpu_to_je32(8)
43455 + .totlen = constant_cpu_to_je32(8),
43456 + .hdr_crc = constant_cpu_to_je32(0)
43460 diff -urNp linux-2.6.32.43/fs/jffs2/xattr.c linux-2.6.32.43/fs/jffs2/xattr.c
43461 --- linux-2.6.32.43/fs/jffs2/xattr.c 2011-03-27 14:31:47.000000000 -0400
43462 +++ linux-2.6.32.43/fs/jffs2/xattr.c 2011-05-16 21:46:57.000000000 -0400
43463 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
43465 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
43467 + pax_track_stack();
43469 /* Phase.1 : Merge same xref */
43470 for (i=0; i < XREF_TMPHASH_SIZE; i++)
43471 xref_tmphash[i] = NULL;
43472 diff -urNp linux-2.6.32.43/fs/jfs/super.c linux-2.6.32.43/fs/jfs/super.c
43473 --- linux-2.6.32.43/fs/jfs/super.c 2011-03-27 14:31:47.000000000 -0400
43474 +++ linux-2.6.32.43/fs/jfs/super.c 2011-06-07 18:06:04.000000000 -0400
43475 @@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
43478 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
43479 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
43480 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
43482 if (jfs_inode_cachep == NULL)
43484 diff -urNp linux-2.6.32.43/fs/Kconfig.binfmt linux-2.6.32.43/fs/Kconfig.binfmt
43485 --- linux-2.6.32.43/fs/Kconfig.binfmt 2011-03-27 14:31:47.000000000 -0400
43486 +++ linux-2.6.32.43/fs/Kconfig.binfmt 2011-04-17 15:56:46.000000000 -0400
43487 @@ -86,7 +86,7 @@ config HAVE_AOUT
43490 tristate "Kernel support for a.out and ECOFF binaries"
43491 - depends on HAVE_AOUT
43492 + depends on HAVE_AOUT && BROKEN
43494 A.out (Assembler.OUTput) is a set of formats for libraries and
43495 executables used in the earliest versions of UNIX. Linux used
43496 diff -urNp linux-2.6.32.43/fs/libfs.c linux-2.6.32.43/fs/libfs.c
43497 --- linux-2.6.32.43/fs/libfs.c 2011-03-27 14:31:47.000000000 -0400
43498 +++ linux-2.6.32.43/fs/libfs.c 2011-05-11 18:25:15.000000000 -0400
43499 @@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
43501 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
43502 struct dentry *next;
43503 + char d_name[sizeof(next->d_iname)];
43504 + const unsigned char *name;
43506 next = list_entry(p, struct dentry, d_u.d_child);
43507 if (d_unhashed(next) || !next->d_inode)
43510 spin_unlock(&dcache_lock);
43511 - if (filldir(dirent, next->d_name.name,
43512 + name = next->d_name.name;
43513 + if (name == next->d_iname) {
43514 + memcpy(d_name, name, next->d_name.len);
43517 + if (filldir(dirent, name,
43518 next->d_name.len, filp->f_pos,
43519 next->d_inode->i_ino,
43520 dt_type(next->d_inode)) < 0)
43521 diff -urNp linux-2.6.32.43/fs/lockd/clntproc.c linux-2.6.32.43/fs/lockd/clntproc.c
43522 --- linux-2.6.32.43/fs/lockd/clntproc.c 2011-03-27 14:31:47.000000000 -0400
43523 +++ linux-2.6.32.43/fs/lockd/clntproc.c 2011-05-16 21:46:57.000000000 -0400
43524 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
43526 * Cookie counter for NLM requests
43528 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
43529 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
43531 void nlmclnt_next_cookie(struct nlm_cookie *c)
43533 - u32 cookie = atomic_inc_return(&nlm_cookie);
43534 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
43536 memcpy(c->data, &cookie, 4);
43538 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
43539 struct nlm_rqst reqst, *req;
43542 + pax_track_stack();
43545 memset(req, 0, sizeof(*req));
43546 locks_init_lock(&req->a_args.lock.fl);
43547 diff -urNp linux-2.6.32.43/fs/lockd/svc.c linux-2.6.32.43/fs/lockd/svc.c
43548 --- linux-2.6.32.43/fs/lockd/svc.c 2011-03-27 14:31:47.000000000 -0400
43549 +++ linux-2.6.32.43/fs/lockd/svc.c 2011-04-17 15:56:46.000000000 -0400
43552 static struct svc_program nlmsvc_program;
43554 -struct nlmsvc_binding * nlmsvc_ops;
43555 +const struct nlmsvc_binding * nlmsvc_ops;
43556 EXPORT_SYMBOL_GPL(nlmsvc_ops);
43558 static DEFINE_MUTEX(nlmsvc_mutex);
43559 diff -urNp linux-2.6.32.43/fs/locks.c linux-2.6.32.43/fs/locks.c
43560 --- linux-2.6.32.43/fs/locks.c 2011-03-27 14:31:47.000000000 -0400
43561 +++ linux-2.6.32.43/fs/locks.c 2011-07-06 19:47:11.000000000 -0400
43562 @@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
43564 static struct kmem_cache *filelock_cache __read_mostly;
43566 +static void locks_init_lock_always(struct file_lock *fl)
43568 + fl->fl_next = NULL;
43569 + fl->fl_fasync = NULL;
43570 + fl->fl_owner = NULL;
43572 + fl->fl_nspid = NULL;
43573 + fl->fl_file = NULL;
43574 + fl->fl_flags = 0;
43576 + fl->fl_start = fl->fl_end = 0;
43579 /* Allocate an empty lock structure. */
43580 static struct file_lock *locks_alloc_lock(void)
43582 - return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
43583 + struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
43586 + locks_init_lock_always(fl);
43591 void locks_release_private(struct file_lock *fl)
43592 @@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
43593 INIT_LIST_HEAD(&fl->fl_link);
43594 INIT_LIST_HEAD(&fl->fl_block);
43595 init_waitqueue_head(&fl->fl_wait);
43596 - fl->fl_next = NULL;
43597 - fl->fl_fasync = NULL;
43598 - fl->fl_owner = NULL;
43600 - fl->fl_nspid = NULL;
43601 - fl->fl_file = NULL;
43602 - fl->fl_flags = 0;
43604 - fl->fl_start = fl->fl_end = 0;
43606 fl->fl_lmops = NULL;
43607 + locks_init_lock_always(fl);
43610 EXPORT_SYMBOL(locks_init_lock);
43611 @@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
43614 if (filp->f_op && filp->f_op->flock) {
43615 - struct file_lock fl = {
43616 + struct file_lock flock = {
43617 .fl_pid = current->tgid,
43619 .fl_flags = FL_FLOCK,
43620 .fl_type = F_UNLCK,
43621 .fl_end = OFFSET_MAX,
43623 - filp->f_op->flock(filp, F_SETLKW, &fl);
43624 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
43625 - fl.fl_ops->fl_release_private(&fl);
43626 + filp->f_op->flock(filp, F_SETLKW, &flock);
43627 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
43628 + flock.fl_ops->fl_release_private(&flock);
43632 diff -urNp linux-2.6.32.43/fs/mbcache.c linux-2.6.32.43/fs/mbcache.c
43633 --- linux-2.6.32.43/fs/mbcache.c 2011-03-27 14:31:47.000000000 -0400
43634 +++ linux-2.6.32.43/fs/mbcache.c 2011-08-05 20:33:55.000000000 -0400
43635 @@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
43638 cache->c_name = name;
43639 - cache->c_op.free = NULL;
43640 + *(void **)&cache->c_op.free = NULL;
43642 - cache->c_op.free = cache_op->free;
43643 + *(void **)&cache->c_op.free = cache_op->free;
43644 atomic_set(&cache->c_entry_count, 0);
43645 cache->c_bucket_bits = bucket_bits;
43646 #ifdef MB_CACHE_INDEXES_COUNT
43647 diff -urNp linux-2.6.32.43/fs/namei.c linux-2.6.32.43/fs/namei.c
43648 --- linux-2.6.32.43/fs/namei.c 2011-03-27 14:31:47.000000000 -0400
43649 +++ linux-2.6.32.43/fs/namei.c 2011-05-16 21:46:57.000000000 -0400
43650 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
43654 - * Read/write DACs are always overridable.
43655 - * Executable DACs are overridable if at least one exec bit is set.
43657 - if (!(mask & MAY_EXEC) || execute_ok(inode))
43658 - if (capable(CAP_DAC_OVERRIDE))
43662 * Searching includes executable on directories, else just read.
43664 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
43665 @@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
43666 if (capable(CAP_DAC_READ_SEARCH))
43670 + * Read/write DACs are always overridable.
43671 + * Executable DACs are overridable if at least one exec bit is set.
43673 + if (!(mask & MAY_EXEC) || execute_ok(inode))
43674 + if (capable(CAP_DAC_OVERRIDE))
43680 @@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
43684 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
43685 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
43686 + capable(CAP_DAC_OVERRIDE))
43690 @@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
43691 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
43692 error = PTR_ERR(cookie);
43693 if (!IS_ERR(cookie)) {
43694 - char *s = nd_get_link(nd);
43695 + const char *s = nd_get_link(nd);
43698 error = __vfs_follow_link(nd, s);
43699 @@ -669,6 +670,13 @@ static inline int do_follow_link(struct
43700 err = security_inode_follow_link(path->dentry, nd);
43704 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
43705 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
43710 current->link_count++;
43711 current->total_link_count++;
43713 @@ -1016,11 +1024,18 @@ return_reval:
43717 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
43718 + path_put(&nd->path);
43723 path_put_conditional(&next, nd);
43726 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
43729 path_put(&nd->path);
43732 @@ -1091,13 +1106,20 @@ static int do_path_lookup(int dfd, const
43733 int retval = path_init(dfd, name, flags, nd);
43735 retval = path_walk(name, nd);
43736 - if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
43737 - nd->path.dentry->d_inode))
43738 - audit_inode(name, nd->path.dentry);
43740 + if (likely(!retval)) {
43741 + if (nd->path.dentry && nd->path.dentry->d_inode) {
43742 + if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
43743 + retval = -ENOENT;
43744 + if (!audit_dummy_context())
43745 + audit_inode(name, nd->path.dentry);
43748 if (nd->root.mnt) {
43749 path_put(&nd->root);
43750 nd->root.mnt = NULL;
43756 @@ -1576,6 +1598,20 @@ int may_open(struct path *path, int acc_
43761 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
43765 + if (gr_handle_rawio(inode)) {
43769 + if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
43774 if (flag & O_TRUNC) {
43775 error = get_write_access(inode);
43777 @@ -1621,12 +1657,19 @@ static int __open_namei_create(struct na
43779 struct dentry *dir = nd->path.dentry;
43781 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
43786 if (!IS_POSIXACL(dir->d_inode))
43787 mode &= ~current_umask();
43788 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
43791 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
43793 + gr_handle_create(path->dentry, nd->path.mnt);
43795 mutex_unlock(&dir->d_inode->i_mutex);
43796 dput(nd->path.dentry);
43797 @@ -1709,6 +1752,22 @@ struct file *do_filp_open(int dfd, const
43800 return ERR_PTR(error);
43802 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
43807 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
43812 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
43820 @@ -1795,6 +1854,14 @@ do_last:
43822 * It already exists.
43825 + /* only check if O_CREAT is specified, all other checks need
43826 + to go into may_open */
43827 + if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
43829 + goto exit_mutex_unlock;
43832 mutex_unlock(&dir->d_inode->i_mutex);
43833 audit_inode(pathname, path.dentry);
43835 @@ -1887,6 +1954,13 @@ do_link:
43836 error = security_inode_follow_link(path.dentry, &nd);
43840 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
43841 + path.dentry, nd.path.mnt)) {
43846 error = __do_follow_link(&path, &nd);
43848 /* Does someone understand code flow here? Or it is only
43849 @@ -2061,6 +2135,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
43850 error = may_mknod(mode);
43854 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
43859 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
43864 error = mnt_want_write(nd.path.mnt);
43867 @@ -2081,6 +2166,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
43870 mnt_drop_write(nd.path.mnt);
43873 + gr_handle_create(dentry, nd.path.mnt);
43877 @@ -2134,6 +2222,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
43878 if (IS_ERR(dentry))
43881 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
43886 if (!IS_POSIXACL(nd.path.dentry->d_inode))
43887 mode &= ~current_umask();
43888 error = mnt_want_write(nd.path.mnt);
43889 @@ -2145,6 +2238,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
43890 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
43892 mnt_drop_write(nd.path.mnt);
43895 + gr_handle_create(dentry, nd.path.mnt);
43900 @@ -2226,6 +2323,8 @@ static long do_rmdir(int dfd, const char
43902 struct dentry *dentry;
43903 struct nameidata nd;
43904 + ino_t saved_ino = 0;
43905 + dev_t saved_dev = 0;
43907 error = user_path_parent(dfd, pathname, &nd, &name);
43909 @@ -2250,6 +2349,19 @@ static long do_rmdir(int dfd, const char
43910 error = PTR_ERR(dentry);
43911 if (IS_ERR(dentry))
43914 + if (dentry->d_inode != NULL) {
43915 + if (dentry->d_inode->i_nlink <= 1) {
43916 + saved_ino = dentry->d_inode->i_ino;
43917 + saved_dev = gr_get_dev_from_dentry(dentry);
43920 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
43926 error = mnt_want_write(nd.path.mnt);
43929 @@ -2257,6 +2369,8 @@ static long do_rmdir(int dfd, const char
43932 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
43933 + if (!error && (saved_dev || saved_ino))
43934 + gr_handle_delete(saved_ino, saved_dev);
43936 mnt_drop_write(nd.path.mnt);
43938 @@ -2318,6 +2432,8 @@ static long do_unlinkat(int dfd, const c
43939 struct dentry *dentry;
43940 struct nameidata nd;
43941 struct inode *inode = NULL;
43942 + ino_t saved_ino = 0;
43943 + dev_t saved_dev = 0;
43945 error = user_path_parent(dfd, pathname, &nd, &name);
43947 @@ -2337,8 +2453,19 @@ static long do_unlinkat(int dfd, const c
43948 if (nd.last.name[nd.last.len])
43950 inode = dentry->d_inode;
43953 + if (inode->i_nlink <= 1) {
43954 + saved_ino = inode->i_ino;
43955 + saved_dev = gr_get_dev_from_dentry(dentry);
43958 atomic_inc(&inode->i_count);
43960 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
43965 error = mnt_want_write(nd.path.mnt);
43968 @@ -2346,6 +2473,8 @@ static long do_unlinkat(int dfd, const c
43971 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
43972 + if (!error && (saved_ino || saved_dev))
43973 + gr_handle_delete(saved_ino, saved_dev);
43975 mnt_drop_write(nd.path.mnt);
43977 @@ -2424,6 +2553,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
43978 if (IS_ERR(dentry))
43981 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
43986 error = mnt_want_write(nd.path.mnt);
43989 @@ -2431,6 +2565,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
43991 goto out_drop_write;
43992 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
43994 + gr_handle_create(dentry, nd.path.mnt);
43996 mnt_drop_write(nd.path.mnt);
43998 @@ -2524,6 +2660,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
43999 error = PTR_ERR(new_dentry);
44000 if (IS_ERR(new_dentry))
44003 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
44004 + old_path.dentry->d_inode,
44005 + old_path.dentry->d_inode->i_mode, to)) {
44010 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
44011 + old_path.dentry, old_path.mnt, to)) {
44016 error = mnt_want_write(nd.path.mnt);
44019 @@ -2531,6 +2681,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
44021 goto out_drop_write;
44022 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
44024 + gr_handle_create(new_dentry, nd.path.mnt);
44026 mnt_drop_write(nd.path.mnt);
44028 @@ -2708,6 +2860,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44032 + pax_track_stack();
44034 error = user_path_parent(olddfd, oldname, &oldnd, &from);
44037 @@ -2764,6 +2918,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44038 if (new_dentry == trap)
44041 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
44042 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
44047 error = mnt_want_write(oldnd.path.mnt);
44050 @@ -2773,6 +2933,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
44052 error = vfs_rename(old_dir->d_inode, old_dentry,
44053 new_dir->d_inode, new_dentry);
44055 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
44056 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
44058 mnt_drop_write(oldnd.path.mnt);
44060 @@ -2798,6 +2961,8 @@ SYSCALL_DEFINE2(rename, const char __use
44062 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
44065 + const char *newlink;
44068 len = PTR_ERR(link);
44069 @@ -2807,7 +2972,14 @@ int vfs_readlink(struct dentry *dentry,
44070 len = strlen(link);
44071 if (len > (unsigned) buflen)
44073 - if (copy_to_user(buffer, link, len))
44075 + if (len < sizeof(tmpbuf)) {
44076 + memcpy(tmpbuf, link, len);
44077 + newlink = tmpbuf;
44081 + if (copy_to_user(buffer, newlink, len))
44085 diff -urNp linux-2.6.32.43/fs/namespace.c linux-2.6.32.43/fs/namespace.c
44086 --- linux-2.6.32.43/fs/namespace.c 2011-03-27 14:31:47.000000000 -0400
44087 +++ linux-2.6.32.43/fs/namespace.c 2011-04-17 15:56:46.000000000 -0400
44088 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
44089 if (!(sb->s_flags & MS_RDONLY))
44090 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
44091 up_write(&sb->s_umount);
44093 + gr_log_remount(mnt->mnt_devname, retval);
44098 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
44099 security_sb_umount_busy(mnt);
44100 up_write(&namespace_sem);
44101 release_mounts(&umount_list);
44103 + gr_log_unmount(mnt->mnt_devname, retval);
44108 @@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
44112 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
44117 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
44122 if (flags & MS_REMOUNT)
44123 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
44125 @@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
44126 dev_name, data_page);
44130 + gr_log_mount(dev_name, dir_name, retval);
44135 @@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
44139 + if (gr_handle_chroot_pivot()) {
44145 read_lock(¤t->fs->lock);
44146 root = current->fs->root;
44147 path_get(¤t->fs->root);
44148 diff -urNp linux-2.6.32.43/fs/ncpfs/dir.c linux-2.6.32.43/fs/ncpfs/dir.c
44149 --- linux-2.6.32.43/fs/ncpfs/dir.c 2011-03-27 14:31:47.000000000 -0400
44150 +++ linux-2.6.32.43/fs/ncpfs/dir.c 2011-05-16 21:46:57.000000000 -0400
44151 @@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
44152 int res, val = 0, len;
44153 __u8 __name[NCP_MAXPATHLEN + 1];
44155 + pax_track_stack();
44157 parent = dget_parent(dentry);
44158 dir = parent->d_inode;
44160 @@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
44161 int error, res, len;
44162 __u8 __name[NCP_MAXPATHLEN + 1];
44164 + pax_track_stack();
44168 if (!ncp_conn_valid(server))
44169 @@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
44170 int error, result, len;
44172 __u8 __name[NCP_MAXPATHLEN + 1];
44175 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
44176 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
44178 + pax_track_stack();
44182 if (!ncp_conn_valid(server))
44183 @@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
44185 __u8 __name[NCP_MAXPATHLEN + 1];
44187 + pax_track_stack();
44189 DPRINTK("ncp_mkdir: making %s/%s\n",
44190 dentry->d_parent->d_name.name, dentry->d_name.name);
44192 @@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
44193 if (!ncp_conn_valid(server))
44196 + pax_track_stack();
44198 ncp_age_dentry(server, dentry);
44199 len = sizeof(__name);
44200 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
44201 @@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
44202 int old_len, new_len;
44203 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
44205 + pax_track_stack();
44207 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
44208 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
44209 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
44210 diff -urNp linux-2.6.32.43/fs/ncpfs/inode.c linux-2.6.32.43/fs/ncpfs/inode.c
44211 --- linux-2.6.32.43/fs/ncpfs/inode.c 2011-03-27 14:31:47.000000000 -0400
44212 +++ linux-2.6.32.43/fs/ncpfs/inode.c 2011-05-16 21:46:57.000000000 -0400
44213 @@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
44215 struct ncp_entry_info finfo;
44217 + pax_track_stack();
44219 data.wdog_pid = NULL;
44220 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
44222 diff -urNp linux-2.6.32.43/fs/nfs/inode.c linux-2.6.32.43/fs/nfs/inode.c
44223 --- linux-2.6.32.43/fs/nfs/inode.c 2011-05-10 22:12:01.000000000 -0400
44224 +++ linux-2.6.32.43/fs/nfs/inode.c 2011-07-06 19:53:33.000000000 -0400
44225 @@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
44226 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
44227 nfsi->attrtimeo_timestamp = jiffies;
44229 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
44230 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
44231 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
44232 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
44234 @@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
44235 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
44238 -static atomic_long_t nfs_attr_generation_counter;
44239 +static atomic_long_unchecked_t nfs_attr_generation_counter;
44241 static unsigned long nfs_read_attr_generation_counter(void)
44243 - return atomic_long_read(&nfs_attr_generation_counter);
44244 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
44247 unsigned long nfs_inc_attr_generation_counter(void)
44249 - return atomic_long_inc_return(&nfs_attr_generation_counter);
44250 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
44253 void nfs_fattr_init(struct nfs_fattr *fattr)
44254 diff -urNp linux-2.6.32.43/fs/nfsd/lockd.c linux-2.6.32.43/fs/nfsd/lockd.c
44255 --- linux-2.6.32.43/fs/nfsd/lockd.c 2011-04-17 17:00:52.000000000 -0400
44256 +++ linux-2.6.32.43/fs/nfsd/lockd.c 2011-04-17 17:03:15.000000000 -0400
44257 @@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
44261 -static struct nlmsvc_binding nfsd_nlm_ops = {
44262 +static const struct nlmsvc_binding nfsd_nlm_ops = {
44263 .fopen = nlm_fopen, /* open file for locking */
44264 .fclose = nlm_fclose, /* close file */
44266 diff -urNp linux-2.6.32.43/fs/nfsd/nfs4state.c linux-2.6.32.43/fs/nfsd/nfs4state.c
44267 --- linux-2.6.32.43/fs/nfsd/nfs4state.c 2011-03-27 14:31:47.000000000 -0400
44268 +++ linux-2.6.32.43/fs/nfsd/nfs4state.c 2011-05-16 21:46:57.000000000 -0400
44269 @@ -3457,6 +3457,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
44273 + pax_track_stack();
44275 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
44276 (long long) lock->lk_offset,
44277 (long long) lock->lk_length);
44278 diff -urNp linux-2.6.32.43/fs/nfsd/nfs4xdr.c linux-2.6.32.43/fs/nfsd/nfs4xdr.c
44279 --- linux-2.6.32.43/fs/nfsd/nfs4xdr.c 2011-03-27 14:31:47.000000000 -0400
44280 +++ linux-2.6.32.43/fs/nfsd/nfs4xdr.c 2011-05-16 21:46:57.000000000 -0400
44281 @@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
44282 struct nfsd4_compoundres *resp = rqstp->rq_resp;
44283 u32 minorversion = resp->cstate.minorversion;
44285 + pax_track_stack();
44287 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
44288 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
44289 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
44290 diff -urNp linux-2.6.32.43/fs/nfsd/vfs.c linux-2.6.32.43/fs/nfsd/vfs.c
44291 --- linux-2.6.32.43/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400
44292 +++ linux-2.6.32.43/fs/nfsd/vfs.c 2011-05-10 22:12:33.000000000 -0400
44293 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
44297 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
44298 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
44302 @@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
44304 /* Write the data. */
44305 oldfs = get_fs(); set_fs(KERNEL_DS);
44306 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
44307 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
44311 @@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
44314 oldfs = get_fs(); set_fs(KERNEL_DS);
44315 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
44316 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
44320 diff -urNp linux-2.6.32.43/fs/nilfs2/ioctl.c linux-2.6.32.43/fs/nilfs2/ioctl.c
44321 --- linux-2.6.32.43/fs/nilfs2/ioctl.c 2011-03-27 14:31:47.000000000 -0400
44322 +++ linux-2.6.32.43/fs/nilfs2/ioctl.c 2011-05-04 17:56:28.000000000 -0400
44323 @@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
44324 unsigned int cmd, void __user *argp)
44326 struct nilfs_argv argv[5];
44327 - const static size_t argsz[5] = {
44328 + static const size_t argsz[5] = {
44329 sizeof(struct nilfs_vdesc),
44330 sizeof(struct nilfs_period),
44332 diff -urNp linux-2.6.32.43/fs/notify/dnotify/dnotify.c linux-2.6.32.43/fs/notify/dnotify/dnotify.c
44333 --- linux-2.6.32.43/fs/notify/dnotify/dnotify.c 2011-03-27 14:31:47.000000000 -0400
44334 +++ linux-2.6.32.43/fs/notify/dnotify/dnotify.c 2011-04-17 15:56:46.000000000 -0400
44335 @@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
44336 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
44339 -static struct fsnotify_ops dnotify_fsnotify_ops = {
44340 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
44341 .handle_event = dnotify_handle_event,
44342 .should_send_event = dnotify_should_send_event,
44343 .free_group_priv = NULL,
44344 diff -urNp linux-2.6.32.43/fs/notify/notification.c linux-2.6.32.43/fs/notify/notification.c
44345 --- linux-2.6.32.43/fs/notify/notification.c 2011-03-27 14:31:47.000000000 -0400
44346 +++ linux-2.6.32.43/fs/notify/notification.c 2011-05-04 17:56:28.000000000 -0400
44347 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
44348 * get set to 0 so it will never get 'freed'
44350 static struct fsnotify_event q_overflow_event;
44351 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44352 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
44355 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
44356 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
44358 u32 fsnotify_get_cookie(void)
44360 - return atomic_inc_return(&fsnotify_sync_cookie);
44361 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
44363 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
44365 diff -urNp linux-2.6.32.43/fs/ntfs/dir.c linux-2.6.32.43/fs/ntfs/dir.c
44366 --- linux-2.6.32.43/fs/ntfs/dir.c 2011-03-27 14:31:47.000000000 -0400
44367 +++ linux-2.6.32.43/fs/ntfs/dir.c 2011-04-17 15:56:46.000000000 -0400
44368 @@ -1328,7 +1328,7 @@ find_next_index_buffer:
44369 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
44370 ~(s64)(ndir->itype.index.block_size - 1)));
44371 /* Bounds checks. */
44372 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44373 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
44374 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
44375 "inode 0x%lx or driver bug.", vdir->i_ino);
44377 diff -urNp linux-2.6.32.43/fs/ntfs/file.c linux-2.6.32.43/fs/ntfs/file.c
44378 --- linux-2.6.32.43/fs/ntfs/file.c 2011-03-27 14:31:47.000000000 -0400
44379 +++ linux-2.6.32.43/fs/ntfs/file.c 2011-04-17 15:56:46.000000000 -0400
44380 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
44381 #endif /* NTFS_RW */
44384 -const struct file_operations ntfs_empty_file_ops = {};
44385 +const struct file_operations ntfs_empty_file_ops __read_only;
44387 -const struct inode_operations ntfs_empty_inode_ops = {};
44388 +const struct inode_operations ntfs_empty_inode_ops __read_only;
44389 diff -urNp linux-2.6.32.43/fs/ocfs2/cluster/masklog.c linux-2.6.32.43/fs/ocfs2/cluster/masklog.c
44390 --- linux-2.6.32.43/fs/ocfs2/cluster/masklog.c 2011-03-27 14:31:47.000000000 -0400
44391 +++ linux-2.6.32.43/fs/ocfs2/cluster/masklog.c 2011-04-17 15:56:46.000000000 -0400
44392 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
44393 return mlog_mask_store(mlog_attr->mask, buf, count);
44396 -static struct sysfs_ops mlog_attr_ops = {
44397 +static const struct sysfs_ops mlog_attr_ops = {
44399 .store = mlog_store,
44401 diff -urNp linux-2.6.32.43/fs/ocfs2/localalloc.c linux-2.6.32.43/fs/ocfs2/localalloc.c
44402 --- linux-2.6.32.43/fs/ocfs2/localalloc.c 2011-03-27 14:31:47.000000000 -0400
44403 +++ linux-2.6.32.43/fs/ocfs2/localalloc.c 2011-04-17 15:56:46.000000000 -0400
44404 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
44408 - atomic_inc(&osb->alloc_stats.moves);
44409 + atomic_inc_unchecked(&osb->alloc_stats.moves);
44413 diff -urNp linux-2.6.32.43/fs/ocfs2/namei.c linux-2.6.32.43/fs/ocfs2/namei.c
44414 --- linux-2.6.32.43/fs/ocfs2/namei.c 2011-03-27 14:31:47.000000000 -0400
44415 +++ linux-2.6.32.43/fs/ocfs2/namei.c 2011-05-16 21:46:57.000000000 -0400
44416 @@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
44417 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
44418 struct ocfs2_dir_lookup_result target_insert = { NULL, };
44420 + pax_track_stack();
44422 /* At some point it might be nice to break this function up a
44425 diff -urNp linux-2.6.32.43/fs/ocfs2/ocfs2.h linux-2.6.32.43/fs/ocfs2/ocfs2.h
44426 --- linux-2.6.32.43/fs/ocfs2/ocfs2.h 2011-03-27 14:31:47.000000000 -0400
44427 +++ linux-2.6.32.43/fs/ocfs2/ocfs2.h 2011-04-17 15:56:46.000000000 -0400
44428 @@ -217,11 +217,11 @@ enum ocfs2_vol_state
44430 struct ocfs2_alloc_stats
44433 - atomic_t local_data;
44434 - atomic_t bitmap_data;
44435 - atomic_t bg_allocs;
44436 - atomic_t bg_extends;
44437 + atomic_unchecked_t moves;
44438 + atomic_unchecked_t local_data;
44439 + atomic_unchecked_t bitmap_data;
44440 + atomic_unchecked_t bg_allocs;
44441 + atomic_unchecked_t bg_extends;
44444 enum ocfs2_local_alloc_state
44445 diff -urNp linux-2.6.32.43/fs/ocfs2/suballoc.c linux-2.6.32.43/fs/ocfs2/suballoc.c
44446 --- linux-2.6.32.43/fs/ocfs2/suballoc.c 2011-03-27 14:31:47.000000000 -0400
44447 +++ linux-2.6.32.43/fs/ocfs2/suballoc.c 2011-04-17 15:56:46.000000000 -0400
44448 @@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
44449 mlog_errno(status);
44452 - atomic_inc(&osb->alloc_stats.bg_extends);
44453 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
44455 /* You should never ask for this much metadata */
44456 BUG_ON(bits_wanted >
44457 @@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
44458 mlog_errno(status);
44461 - atomic_inc(&osb->alloc_stats.bg_allocs);
44462 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
44464 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
44465 ac->ac_bits_given += (*num_bits);
44466 @@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
44467 mlog_errno(status);
44470 - atomic_inc(&osb->alloc_stats.bg_allocs);
44471 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
44473 BUG_ON(num_bits != 1);
44475 @@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
44479 - atomic_inc(&osb->alloc_stats.local_data);
44480 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
44482 if (min_clusters > (osb->bitmap_cpg - 1)) {
44483 /* The only paths asking for contiguousness
44484 @@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
44485 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
44488 - atomic_inc(&osb->alloc_stats.bitmap_data);
44489 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
44493 diff -urNp linux-2.6.32.43/fs/ocfs2/super.c linux-2.6.32.43/fs/ocfs2/super.c
44494 --- linux-2.6.32.43/fs/ocfs2/super.c 2011-03-27 14:31:47.000000000 -0400
44495 +++ linux-2.6.32.43/fs/ocfs2/super.c 2011-04-17 15:56:46.000000000 -0400
44496 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
44497 "%10s => GlobalAllocs: %d LocalAllocs: %d "
44498 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
44500 - atomic_read(&osb->alloc_stats.bitmap_data),
44501 - atomic_read(&osb->alloc_stats.local_data),
44502 - atomic_read(&osb->alloc_stats.bg_allocs),
44503 - atomic_read(&osb->alloc_stats.moves),
44504 - atomic_read(&osb->alloc_stats.bg_extends));
44505 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
44506 + atomic_read_unchecked(&osb->alloc_stats.local_data),
44507 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
44508 + atomic_read_unchecked(&osb->alloc_stats.moves),
44509 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
44511 out += snprintf(buf + out, len - out,
44512 "%10s => State: %u Descriptor: %llu Size: %u bits "
44513 @@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
44514 spin_lock_init(&osb->osb_xattr_lock);
44515 ocfs2_init_inode_steal_slot(osb);
44517 - atomic_set(&osb->alloc_stats.moves, 0);
44518 - atomic_set(&osb->alloc_stats.local_data, 0);
44519 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
44520 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
44521 - atomic_set(&osb->alloc_stats.bg_extends, 0);
44522 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
44523 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
44524 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
44525 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
44526 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
44528 /* Copy the blockcheck stats from the superblock probe */
44529 osb->osb_ecc_stats = *stats;
44530 diff -urNp linux-2.6.32.43/fs/open.c linux-2.6.32.43/fs/open.c
44531 --- linux-2.6.32.43/fs/open.c 2011-03-27 14:31:47.000000000 -0400
44532 +++ linux-2.6.32.43/fs/open.c 2011-04-17 15:56:46.000000000 -0400
44533 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
44534 error = locks_verify_truncate(inode, NULL, length);
44536 error = security_path_truncate(&path, length, 0);
44538 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
44542 vfs_dq_init(inode);
44543 error = do_truncate(path.dentry, length, 0, NULL);
44544 @@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
44545 if (__mnt_is_readonly(path.mnt))
44548 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
44554 @@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
44558 + gr_log_chdir(path.dentry, path.mnt);
44560 set_fs_pwd(current->fs, &path);
44563 @@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
44566 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
44568 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
44572 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
44575 set_fs_pwd(current->fs, &file->f_path);
44577 @@ -588,7 +604,18 @@ SYSCALL_DEFINE1(chroot, const char __use
44578 if (!capable(CAP_SYS_CHROOT))
44581 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
44582 + goto dput_and_out;
44584 + if (gr_handle_chroot_caps(&path)) {
44586 + goto dput_and_out;
44589 set_fs_root(current->fs, &path);
44591 + gr_handle_chroot_chdir(&path);
44596 @@ -616,12 +643,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
44597 err = mnt_want_write_file(file);
44601 mutex_lock(&inode->i_mutex);
44603 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
44608 if (mode == (mode_t) -1)
44609 mode = inode->i_mode;
44611 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
44616 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
44617 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
44618 err = notify_change(dentry, &newattrs);
44621 mutex_unlock(&inode->i_mutex);
44622 mnt_drop_write(file->f_path.mnt);
44624 @@ -645,12 +687,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
44625 error = mnt_want_write(path.mnt);
44629 mutex_lock(&inode->i_mutex);
44631 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
44636 if (mode == (mode_t) -1)
44637 mode = inode->i_mode;
44639 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
44644 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
44645 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
44646 error = notify_change(path.dentry, &newattrs);
44649 mutex_unlock(&inode->i_mutex);
44650 mnt_drop_write(path.mnt);
44652 @@ -664,12 +721,15 @@ SYSCALL_DEFINE2(chmod, const char __user
44653 return sys_fchmodat(AT_FDCWD, filename, mode);
44656 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
44657 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
44659 struct inode *inode = dentry->d_inode;
44661 struct iattr newattrs;
44663 + if (!gr_acl_handle_chown(dentry, mnt))
44666 newattrs.ia_valid = ATTR_CTIME;
44667 if (user != (uid_t) -1) {
44668 newattrs.ia_valid |= ATTR_UID;
44669 @@ -700,7 +760,7 @@ SYSCALL_DEFINE3(chown, const char __user
44670 error = mnt_want_write(path.mnt);
44673 - error = chown_common(path.dentry, user, group);
44674 + error = chown_common(path.dentry, user, group, path.mnt);
44675 mnt_drop_write(path.mnt);
44678 @@ -725,7 +785,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
44679 error = mnt_want_write(path.mnt);
44682 - error = chown_common(path.dentry, user, group);
44683 + error = chown_common(path.dentry, user, group, path.mnt);
44684 mnt_drop_write(path.mnt);
44687 @@ -744,7 +804,7 @@ SYSCALL_DEFINE3(lchown, const char __use
44688 error = mnt_want_write(path.mnt);
44691 - error = chown_common(path.dentry, user, group);
44692 + error = chown_common(path.dentry, user, group, path.mnt);
44693 mnt_drop_write(path.mnt);
44696 @@ -767,7 +827,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
44698 dentry = file->f_path.dentry;
44699 audit_inode(NULL, dentry);
44700 - error = chown_common(dentry, user, group);
44701 + error = chown_common(dentry, user, group, file->f_path.mnt);
44702 mnt_drop_write(file->f_path.mnt);
44705 @@ -1036,7 +1096,10 @@ long do_sys_open(int dfd, const char __u
44706 if (!IS_ERR(tmp)) {
44707 fd = get_unused_fd_flags(flags);
44709 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
44711 + /* don't allow to be set by userland */
44712 + flags &= ~FMODE_GREXEC;
44713 + f = do_filp_open(dfd, tmp, flags, mode, 0);
44717 diff -urNp linux-2.6.32.43/fs/partitions/ldm.c linux-2.6.32.43/fs/partitions/ldm.c
44718 --- linux-2.6.32.43/fs/partitions/ldm.c 2011-06-25 12:55:34.000000000 -0400
44719 +++ linux-2.6.32.43/fs/partitions/ldm.c 2011-06-25 12:56:37.000000000 -0400
44720 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
44721 ldm_error ("A VBLK claims to have %d parts.", num);
44726 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
44728 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
44732 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
44733 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
44735 ldm_crit ("Out of memory.");
44737 diff -urNp linux-2.6.32.43/fs/partitions/mac.c linux-2.6.32.43/fs/partitions/mac.c
44738 --- linux-2.6.32.43/fs/partitions/mac.c 2011-03-27 14:31:47.000000000 -0400
44739 +++ linux-2.6.32.43/fs/partitions/mac.c 2011-04-17 15:56:46.000000000 -0400
44740 @@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
44741 return 0; /* not a MacOS disk */
44743 blocks_in_map = be32_to_cpu(part->map_count);
44744 + printk(" [mac]");
44745 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
44746 put_dev_sector(sect);
44749 - printk(" [mac]");
44750 for (slot = 1; slot <= blocks_in_map; ++slot) {
44751 int pos = slot * secsize;
44752 put_dev_sector(sect);
44753 diff -urNp linux-2.6.32.43/fs/pipe.c linux-2.6.32.43/fs/pipe.c
44754 --- linux-2.6.32.43/fs/pipe.c 2011-03-27 14:31:47.000000000 -0400
44755 +++ linux-2.6.32.43/fs/pipe.c 2011-04-23 13:37:17.000000000 -0400
44756 @@ -401,9 +401,9 @@ redo:
44758 if (bufs) /* More to do? */
44760 - if (!pipe->writers)
44761 + if (!atomic_read(&pipe->writers))
44763 - if (!pipe->waiting_writers) {
44764 + if (!atomic_read(&pipe->waiting_writers)) {
44765 /* syscall merging: Usually we must not sleep
44766 * if O_NONBLOCK is set, or if we got some data.
44767 * But if a writer sleeps in kernel space, then
44768 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
44769 mutex_lock(&inode->i_mutex);
44770 pipe = inode->i_pipe;
44772 - if (!pipe->readers) {
44773 + if (!atomic_read(&pipe->readers)) {
44774 send_sig(SIGPIPE, current, 0);
44777 @@ -511,7 +511,7 @@ redo1:
44781 - if (!pipe->readers) {
44782 + if (!atomic_read(&pipe->readers)) {
44783 send_sig(SIGPIPE, current, 0);
44786 @@ -597,9 +597,9 @@ redo2:
44787 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
44790 - pipe->waiting_writers++;
44791 + atomic_inc(&pipe->waiting_writers);
44793 - pipe->waiting_writers--;
44794 + atomic_dec(&pipe->waiting_writers);
44797 mutex_unlock(&inode->i_mutex);
44798 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
44800 if (filp->f_mode & FMODE_READ) {
44801 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
44802 - if (!pipe->writers && filp->f_version != pipe->w_counter)
44803 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
44807 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
44808 * Most Unices do not set POLLERR for FIFOs but on Linux they
44809 * behave exactly like pipes for poll().
44811 - if (!pipe->readers)
44812 + if (!atomic_read(&pipe->readers))
44816 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
44818 mutex_lock(&inode->i_mutex);
44819 pipe = inode->i_pipe;
44820 - pipe->readers -= decr;
44821 - pipe->writers -= decw;
44822 + atomic_sub(decr, &pipe->readers);
44823 + atomic_sub(decw, &pipe->writers);
44825 - if (!pipe->readers && !pipe->writers) {
44826 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
44827 free_pipe_info(inode);
44829 wake_up_interruptible_sync(&pipe->wait);
44830 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
44832 if (inode->i_pipe) {
44834 - inode->i_pipe->readers++;
44835 + atomic_inc(&inode->i_pipe->readers);
44838 mutex_unlock(&inode->i_mutex);
44839 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
44841 if (inode->i_pipe) {
44843 - inode->i_pipe->writers++;
44844 + atomic_inc(&inode->i_pipe->writers);
44847 mutex_unlock(&inode->i_mutex);
44848 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
44849 if (inode->i_pipe) {
44851 if (filp->f_mode & FMODE_READ)
44852 - inode->i_pipe->readers++;
44853 + atomic_inc(&inode->i_pipe->readers);
44854 if (filp->f_mode & FMODE_WRITE)
44855 - inode->i_pipe->writers++;
44856 + atomic_inc(&inode->i_pipe->writers);
44859 mutex_unlock(&inode->i_mutex);
44860 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
44861 inode->i_pipe = NULL;
44864 -static struct vfsmount *pipe_mnt __read_mostly;
44865 +struct vfsmount *pipe_mnt __read_mostly;
44866 static int pipefs_delete_dentry(struct dentry *dentry)
44869 @@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
44871 inode->i_pipe = pipe;
44873 - pipe->readers = pipe->writers = 1;
44874 + atomic_set(&pipe->readers, 1);
44875 + atomic_set(&pipe->writers, 1);
44876 inode->i_fop = &rdwr_pipefifo_fops;
44879 diff -urNp linux-2.6.32.43/fs/proc/array.c linux-2.6.32.43/fs/proc/array.c
44880 --- linux-2.6.32.43/fs/proc/array.c 2011-03-27 14:31:47.000000000 -0400
44881 +++ linux-2.6.32.43/fs/proc/array.c 2011-05-16 21:46:57.000000000 -0400
44883 #include <linux/tty.h>
44884 #include <linux/string.h>
44885 #include <linux/mman.h>
44886 +#include <linux/grsecurity.h>
44887 #include <linux/proc_fs.h>
44888 #include <linux/ioport.h>
44889 #include <linux/uaccess.h>
44890 @@ -321,6 +322,21 @@ static inline void task_context_switch_c
44894 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44895 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
44898 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
44899 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
44900 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
44901 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
44902 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
44903 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
44905 + seq_printf(m, "PaX:\t-----\n");
44909 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
44910 struct pid *pid, struct task_struct *task)
44912 @@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
44914 cpuset_task_status_allowed(m, task);
44915 task_context_switch_counts(m, task);
44917 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44918 + task_pax(m, task);
44921 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
44922 + task_grsec_rbac(m, task);
44928 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
44929 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
44930 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
44931 + _mm->pax_flags & MF_PAX_SEGMEXEC))
44934 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
44935 struct pid *pid, struct task_struct *task, int whole)
44937 @@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
44938 cputime_t cutime, cstime, utime, stime;
44939 cputime_t cgtime, gtime;
44940 unsigned long rsslim = 0;
44941 - char tcomm[sizeof(task->comm)];
44942 + char tcomm[sizeof(task->comm)] = { 0 };
44943 unsigned long flags;
44945 + pax_track_stack();
44947 state = *get_task_state(task);
44948 vsize = eip = esp = 0;
44949 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
44950 @@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
44951 gtime = task_gtime(task);
44954 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
44955 + if (PAX_RAND_FLAGS(mm)) {
44961 +#ifdef CONFIG_GRKERNSEC_HIDESYM
44967 /* scale priority and nice values from timeslices to -20..20 */
44968 /* to make it look like a "normal" Unix priority/nice value */
44969 priority = task_prio(task);
44970 @@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
44972 mm ? get_mm_rss(mm) : 0,
44974 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
44975 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
44976 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
44977 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
44979 mm ? (permitted ? mm->start_code : 1) : 0,
44980 mm ? (permitted ? mm->end_code : 1) : 0,
44981 (permitted && mm) ? mm->start_stack : 0,
44985 /* The signal information here is obsolete.
44986 @@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
44991 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
44992 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
44995 + unsigned long flags;
44997 + if (lock_task_sighand(task, &flags)) {
44998 + curr_ip = task->signal->curr_ip;
44999 + unlock_task_sighand(task, &flags);
45002 + return sprintf(buffer, "%pI4\n", &curr_ip);
45005 diff -urNp linux-2.6.32.43/fs/proc/base.c linux-2.6.32.43/fs/proc/base.c
45006 --- linux-2.6.32.43/fs/proc/base.c 2011-04-22 19:16:29.000000000 -0400
45007 +++ linux-2.6.32.43/fs/proc/base.c 2011-06-04 21:20:50.000000000 -0400
45008 @@ -102,6 +102,22 @@ struct pid_entry {
45012 +struct getdents_callback {
45013 + struct linux_dirent __user * current_dir;
45014 + struct linux_dirent __user * previous;
45015 + struct file * file;
45020 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
45021 + loff_t offset, u64 ino, unsigned int d_type)
45023 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
45024 + buf->error = -EINVAL;
45028 #define NOD(NAME, MODE, IOP, FOP, OP) { \
45030 .len = sizeof(NAME) - 1, \
45031 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
45032 if (task == current)
45035 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
45039 * If current is actively ptrace'ing, and would also be
45040 * permitted to freshly attach with ptrace now, permit it.
45041 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
45043 goto out_mm; /* Shh! No looking before we're done */
45045 + if (gr_acl_handle_procpidmem(task))
45048 len = mm->arg_end - mm->arg_start;
45050 if (len > PAGE_SIZE)
45051 @@ -287,12 +309,28 @@ out:
45055 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45056 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45057 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45058 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45061 static int proc_pid_auxv(struct task_struct *task, char *buffer)
45064 struct mm_struct *mm = get_task_mm(task);
45066 unsigned int nwords = 0;
45068 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45069 + /* allow if we're currently ptracing this task */
45070 + if (PAX_RAND_FLAGS(mm) &&
45071 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
45079 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
45080 @@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
45084 -#ifdef CONFIG_KALLSYMS
45085 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45087 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
45088 * Returns the resolved symbol. If that fails, simply return the address.
45089 @@ -328,7 +366,7 @@ static int proc_pid_wchan(struct task_st
45091 #endif /* CONFIG_KALLSYMS */
45093 -#ifdef CONFIG_STACKTRACE
45094 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45096 #define MAX_STACK_TRACE_DEPTH 64
45098 @@ -522,7 +560,7 @@ static int proc_pid_limits(struct task_s
45102 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45103 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45104 static int proc_pid_syscall(struct task_struct *task, char *buffer)
45107 @@ -547,7 +585,7 @@ static int proc_pid_syscall(struct task_
45108 /************************************************************************/
45110 /* permission checks */
45111 -static int proc_fd_access_allowed(struct inode *inode)
45112 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
45114 struct task_struct *task;
45116 @@ -557,7 +595,10 @@ static int proc_fd_access_allowed(struct
45118 task = get_proc_task(inode);
45120 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45122 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
45124 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
45125 put_task_struct(task);
45128 @@ -936,6 +977,9 @@ static ssize_t environ_read(struct file
45132 + if (gr_acl_handle_procpidmem(task))
45135 if (!ptrace_may_access(task, PTRACE_MODE_READ))
45138 @@ -1350,7 +1394,7 @@ static void *proc_pid_follow_link(struct
45139 path_put(&nd->path);
45141 /* Are we allowed to snoop on the tasks file descriptors? */
45142 - if (!proc_fd_access_allowed(inode))
45143 + if (!proc_fd_access_allowed(inode,0))
45146 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
45147 @@ -1390,8 +1434,18 @@ static int proc_pid_readlink(struct dent
45150 /* Are we allowed to snoop on the tasks file descriptors? */
45151 - if (!proc_fd_access_allowed(inode))
45153 + /* logging this is needed for learning on chromium to work properly,
45154 + but we don't want to flood the logs from 'ps' which does a readlink
45155 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
45156 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
45158 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
45159 + if (!proc_fd_access_allowed(inode,0))
45162 + if (!proc_fd_access_allowed(inode,1))
45166 error = PROC_I(inode)->op.proc_get_link(inode, &path);
45168 @@ -1456,7 +1510,11 @@ static struct inode *proc_pid_make_inode
45170 cred = __task_cred(task);
45171 inode->i_uid = cred->euid;
45172 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45173 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45175 inode->i_gid = cred->egid;
45179 security_task_to_inode(task, inode);
45180 @@ -1474,6 +1532,9 @@ static int pid_getattr(struct vfsmount *
45181 struct inode *inode = dentry->d_inode;
45182 struct task_struct *task;
45183 const struct cred *cred;
45184 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45185 + const struct cred *tmpcred = current_cred();
45188 generic_fillattr(inode, stat);
45190 @@ -1481,13 +1542,41 @@ static int pid_getattr(struct vfsmount *
45193 task = pid_task(proc_pid(inode), PIDTYPE_PID);
45195 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
45196 + rcu_read_unlock();
45201 + cred = __task_cred(task);
45202 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45203 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
45204 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45205 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45209 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45210 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45211 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45212 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45213 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45215 task_dumpable(task)) {
45216 - cred = __task_cred(task);
45217 stat->uid = cred->euid;
45218 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45219 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
45221 stat->gid = cred->egid;
45224 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45226 + rcu_read_unlock();
45233 @@ -1518,11 +1607,20 @@ static int pid_revalidate(struct dentry
45236 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
45237 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45238 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
45239 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45240 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
45242 task_dumpable(task)) {
45244 cred = __task_cred(task);
45245 inode->i_uid = cred->euid;
45246 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45247 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45249 inode->i_gid = cred->egid;
45254 @@ -1643,7 +1741,8 @@ static int proc_fd_info(struct inode *in
45255 int fd = proc_fd(inode);
45258 - files = get_files_struct(task);
45259 + if (!gr_acl_handle_procpidmem(task))
45260 + files = get_files_struct(task);
45261 put_task_struct(task);
45264 @@ -1895,12 +1994,22 @@ static const struct file_operations proc
45265 static int proc_fd_permission(struct inode *inode, int mask)
45268 + struct task_struct *task;
45270 rv = generic_permission(inode, mask, NULL);
45274 if (task_pid(current) == proc_pid(inode))
45277 + task = get_proc_task(inode);
45278 + if (task == NULL)
45281 + if (gr_acl_handle_procpidmem(task))
45284 + put_task_struct(task);
45289 @@ -2009,6 +2118,9 @@ static struct dentry *proc_pident_lookup
45293 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45297 * Yes, it does not scale. And it should not. Don't add
45298 * new entries into /proc/<tgid>/ without very good reasons.
45299 @@ -2053,6 +2165,9 @@ static int proc_pident_readdir(struct fi
45303 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45309 @@ -2320,7 +2435,7 @@ static void *proc_self_follow_link(struc
45310 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
45313 - char *s = nd_get_link(nd);
45314 + const char *s = nd_get_link(nd);
45318 @@ -2519,7 +2634,7 @@ static const struct pid_entry tgid_base_
45319 #ifdef CONFIG_SCHED_DEBUG
45320 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45322 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45323 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45324 INF("syscall", S_IRUSR, proc_pid_syscall),
45326 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45327 @@ -2544,10 +2659,10 @@ static const struct pid_entry tgid_base_
45328 #ifdef CONFIG_SECURITY
45329 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45331 -#ifdef CONFIG_KALLSYMS
45332 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45333 INF("wchan", S_IRUGO, proc_pid_wchan),
45335 -#ifdef CONFIG_STACKTRACE
45336 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45337 ONE("stack", S_IRUSR, proc_pid_stack),
45339 #ifdef CONFIG_SCHEDSTATS
45340 @@ -2577,6 +2692,9 @@ static const struct pid_entry tgid_base_
45341 #ifdef CONFIG_TASK_IO_ACCOUNTING
45342 INF("io", S_IRUGO, proc_tgid_io_accounting),
45344 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45345 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
45349 static int proc_tgid_base_readdir(struct file * filp,
45350 @@ -2701,7 +2819,14 @@ static struct dentry *proc_pid_instantia
45354 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45355 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
45356 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45357 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45358 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
45360 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
45362 inode->i_op = &proc_tgid_base_inode_operations;
45363 inode->i_fop = &proc_tgid_base_operations;
45364 inode->i_flags|=S_IMMUTABLE;
45365 @@ -2743,7 +2868,11 @@ struct dentry *proc_pid_lookup(struct in
45369 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
45370 + goto out_put_task;
45372 result = proc_pid_instantiate(dir, dentry, task, NULL);
45374 put_task_struct(task);
45377 @@ -2808,6 +2937,11 @@ int proc_pid_readdir(struct file * filp,
45380 struct task_struct *reaper;
45381 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45382 + const struct cred *tmpcred = current_cred();
45383 + const struct cred *itercred;
45385 + filldir_t __filldir = filldir;
45386 struct tgid_iter iter;
45387 struct pid_namespace *ns;
45389 @@ -2831,8 +2965,27 @@ int proc_pid_readdir(struct file * filp,
45390 for (iter = next_tgid(ns, iter);
45392 iter.tgid += 1, iter = next_tgid(ns, iter)) {
45393 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45395 + itercred = __task_cred(iter.task);
45397 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
45398 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45399 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
45400 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45401 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
45406 + __filldir = &gr_fake_filldir;
45408 + __filldir = filldir;
45409 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45410 + rcu_read_unlock();
45412 filp->f_pos = iter.tgid + TGID_OFFSET;
45413 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
45414 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
45415 put_task_struct(iter.task);
45418 @@ -2858,7 +3011,7 @@ static const struct pid_entry tid_base_s
45419 #ifdef CONFIG_SCHED_DEBUG
45420 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
45422 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
45423 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
45424 INF("syscall", S_IRUSR, proc_pid_syscall),
45426 INF("cmdline", S_IRUGO, proc_pid_cmdline),
45427 @@ -2882,10 +3035,10 @@ static const struct pid_entry tid_base_s
45428 #ifdef CONFIG_SECURITY
45429 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
45431 -#ifdef CONFIG_KALLSYMS
45432 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45433 INF("wchan", S_IRUGO, proc_pid_wchan),
45435 -#ifdef CONFIG_STACKTRACE
45436 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45437 ONE("stack", S_IRUSR, proc_pid_stack),
45439 #ifdef CONFIG_SCHEDSTATS
45440 diff -urNp linux-2.6.32.43/fs/proc/cmdline.c linux-2.6.32.43/fs/proc/cmdline.c
45441 --- linux-2.6.32.43/fs/proc/cmdline.c 2011-03-27 14:31:47.000000000 -0400
45442 +++ linux-2.6.32.43/fs/proc/cmdline.c 2011-04-17 15:56:46.000000000 -0400
45443 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
45445 static int __init proc_cmdline_init(void)
45447 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
45448 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
45450 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
45454 module_init(proc_cmdline_init);
45455 diff -urNp linux-2.6.32.43/fs/proc/devices.c linux-2.6.32.43/fs/proc/devices.c
45456 --- linux-2.6.32.43/fs/proc/devices.c 2011-03-27 14:31:47.000000000 -0400
45457 +++ linux-2.6.32.43/fs/proc/devices.c 2011-04-17 15:56:46.000000000 -0400
45458 @@ -64,7 +64,11 @@ static const struct file_operations proc
45460 static int __init proc_devices_init(void)
45462 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
45463 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
45465 proc_create("devices", 0, NULL, &proc_devinfo_operations);
45469 module_init(proc_devices_init);
45470 diff -urNp linux-2.6.32.43/fs/proc/inode.c linux-2.6.32.43/fs/proc/inode.c
45471 --- linux-2.6.32.43/fs/proc/inode.c 2011-03-27 14:31:47.000000000 -0400
45472 +++ linux-2.6.32.43/fs/proc/inode.c 2011-04-17 15:56:46.000000000 -0400
45473 @@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
45475 inode->i_mode = de->mode;
45476 inode->i_uid = de->uid;
45477 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
45478 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
45480 inode->i_gid = de->gid;
45484 inode->i_size = de->size;
45485 diff -urNp linux-2.6.32.43/fs/proc/internal.h linux-2.6.32.43/fs/proc/internal.h
45486 --- linux-2.6.32.43/fs/proc/internal.h 2011-03-27 14:31:47.000000000 -0400
45487 +++ linux-2.6.32.43/fs/proc/internal.h 2011-04-17 15:56:46.000000000 -0400
45488 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
45489 struct pid *pid, struct task_struct *task);
45490 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
45491 struct pid *pid, struct task_struct *task);
45492 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
45493 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
45495 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
45497 extern const struct file_operations proc_maps_operations;
45498 diff -urNp linux-2.6.32.43/fs/proc/Kconfig linux-2.6.32.43/fs/proc/Kconfig
45499 --- linux-2.6.32.43/fs/proc/Kconfig 2011-03-27 14:31:47.000000000 -0400
45500 +++ linux-2.6.32.43/fs/proc/Kconfig 2011-04-17 15:56:46.000000000 -0400
45501 @@ -30,12 +30,12 @@ config PROC_FS
45504 bool "/proc/kcore support" if !ARM
45505 - depends on PROC_FS && MMU
45506 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
45509 bool "/proc/vmcore support (EXPERIMENTAL)"
45510 - depends on PROC_FS && CRASH_DUMP
45512 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
45515 Exports the dump image of crashed kernel in ELF format.
45517 @@ -59,8 +59,8 @@ config PROC_SYSCTL
45520 config PROC_PAGE_MONITOR
45522 - depends on PROC_FS && MMU
45524 + depends on PROC_FS && MMU && !GRKERNSEC
45525 bool "Enable /proc page monitoring" if EMBEDDED
45527 Various /proc files exist to monitor process memory utilization:
45528 diff -urNp linux-2.6.32.43/fs/proc/kcore.c linux-2.6.32.43/fs/proc/kcore.c
45529 --- linux-2.6.32.43/fs/proc/kcore.c 2011-03-27 14:31:47.000000000 -0400
45530 +++ linux-2.6.32.43/fs/proc/kcore.c 2011-05-16 21:46:57.000000000 -0400
45531 @@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
45533 struct kcore_list *m;
45535 + pax_track_stack();
45537 /* setup ELF header */
45538 elf = (struct elfhdr *) bufp;
45539 bufp += sizeof(struct elfhdr);
45540 @@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
45541 * the addresses in the elf_phdr on our list.
45543 start = kc_offset_to_vaddr(*fpos - elf_buflen);
45544 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
45545 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
45546 + if (tsz > buflen)
45551 struct kcore_list *m;
45553 @@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
45556 if (kern_addr_valid(start)) {
45559 + mm_segment_t oldfs;
45561 - n = copy_to_user(buffer, (char *)start, tsz);
45563 - * We cannot distingush between fault on source
45564 - * and fault on destination. When this happens
45565 - * we clear too and hope it will trigger the
45569 - if (clear_user(buffer + tsz - n,
45571 + elf_buf = kmalloc(tsz, GFP_KERNEL);
45574 + oldfs = get_fs();
45575 + set_fs(KERNEL_DS);
45576 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
45578 + if (copy_to_user(buffer, elf_buf, tsz)) {
45586 if (clear_user(buffer, tsz))
45588 @@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
45590 static int open_kcore(struct inode *inode, struct file *filp)
45592 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
45595 if (!capable(CAP_SYS_RAWIO))
45597 if (kcore_need_update)
45598 diff -urNp linux-2.6.32.43/fs/proc/meminfo.c linux-2.6.32.43/fs/proc/meminfo.c
45599 --- linux-2.6.32.43/fs/proc/meminfo.c 2011-03-27 14:31:47.000000000 -0400
45600 +++ linux-2.6.32.43/fs/proc/meminfo.c 2011-05-16 21:46:57.000000000 -0400
45601 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
45602 unsigned long pages[NR_LRU_LISTS];
45605 + pax_track_stack();
45608 * display in kilobytes.
45610 @@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
45612 vmi.largest_chunk >> 10
45613 #ifdef CONFIG_MEMORY_FAILURE
45614 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
45615 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
45619 diff -urNp linux-2.6.32.43/fs/proc/nommu.c linux-2.6.32.43/fs/proc/nommu.c
45620 --- linux-2.6.32.43/fs/proc/nommu.c 2011-03-27 14:31:47.000000000 -0400
45621 +++ linux-2.6.32.43/fs/proc/nommu.c 2011-04-17 15:56:46.000000000 -0400
45622 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
45625 seq_printf(m, "%*c", len, ' ');
45626 - seq_path(m, &file->f_path, "");
45627 + seq_path(m, &file->f_path, "\n\\");
45631 diff -urNp linux-2.6.32.43/fs/proc/proc_net.c linux-2.6.32.43/fs/proc/proc_net.c
45632 --- linux-2.6.32.43/fs/proc/proc_net.c 2011-03-27 14:31:47.000000000 -0400
45633 +++ linux-2.6.32.43/fs/proc/proc_net.c 2011-04-17 15:56:46.000000000 -0400
45634 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
45635 struct task_struct *task;
45636 struct nsproxy *ns;
45637 struct net *net = NULL;
45638 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45639 + const struct cred *cred = current_cred();
45642 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45645 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45646 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
45651 task = pid_task(proc_pid(dir), PIDTYPE_PID);
45652 diff -urNp linux-2.6.32.43/fs/proc/proc_sysctl.c linux-2.6.32.43/fs/proc/proc_sysctl.c
45653 --- linux-2.6.32.43/fs/proc/proc_sysctl.c 2011-03-27 14:31:47.000000000 -0400
45654 +++ linux-2.6.32.43/fs/proc/proc_sysctl.c 2011-04-17 15:56:46.000000000 -0400
45656 #include <linux/security.h>
45657 #include "internal.h"
45659 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
45661 static const struct dentry_operations proc_sys_dentry_operations;
45662 static const struct file_operations proc_sys_file_operations;
45663 static const struct inode_operations proc_sys_inode_operations;
45664 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
45668 + if (gr_handle_sysctl(p, MAY_EXEC))
45671 err = ERR_PTR(-ENOMEM);
45672 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
45674 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
45675 if (*pos < file->f_pos)
45678 + if (gr_handle_sysctl(table, 0))
45681 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
45684 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
45686 return PTR_ERR(head);
45688 + if (table && gr_handle_sysctl(table, MAY_EXEC))
45691 generic_fillattr(inode, stat);
45693 stat->mode = (stat->mode & S_IFMT) | table->mode;
45694 diff -urNp linux-2.6.32.43/fs/proc/root.c linux-2.6.32.43/fs/proc/root.c
45695 --- linux-2.6.32.43/fs/proc/root.c 2011-03-27 14:31:47.000000000 -0400
45696 +++ linux-2.6.32.43/fs/proc/root.c 2011-04-17 15:56:46.000000000 -0400
45697 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
45698 #ifdef CONFIG_PROC_DEVICETREE
45699 proc_device_tree_init();
45701 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
45702 +#ifdef CONFIG_GRKERNSEC_PROC_USER
45703 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
45704 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
45705 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
45708 proc_mkdir("bus", NULL);
45713 diff -urNp linux-2.6.32.43/fs/proc/task_mmu.c linux-2.6.32.43/fs/proc/task_mmu.c
45714 --- linux-2.6.32.43/fs/proc/task_mmu.c 2011-03-27 14:31:47.000000000 -0400
45715 +++ linux-2.6.32.43/fs/proc/task_mmu.c 2011-04-23 13:38:09.000000000 -0400
45716 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
45717 "VmStk:\t%8lu kB\n"
45718 "VmExe:\t%8lu kB\n"
45719 "VmLib:\t%8lu kB\n"
45720 - "VmPTE:\t%8lu kB\n",
45721 - hiwater_vm << (PAGE_SHIFT-10),
45722 + "VmPTE:\t%8lu kB\n"
45724 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45725 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
45728 + ,hiwater_vm << (PAGE_SHIFT-10),
45729 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
45730 mm->locked_vm << (PAGE_SHIFT-10),
45731 hiwater_rss << (PAGE_SHIFT-10),
45732 total_rss << (PAGE_SHIFT-10),
45733 data << (PAGE_SHIFT-10),
45734 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
45735 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
45736 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
45738 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45739 + , mm->context.user_cs_base, mm->context.user_cs_limit
45745 unsigned long task_vsize(struct mm_struct *mm)
45746 @@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
45747 struct proc_maps_private *priv = m->private;
45748 struct vm_area_struct *vma = v;
45750 - vma_stop(priv, vma);
45751 + if (!IS_ERR(vma))
45752 + vma_stop(priv, vma);
45754 put_task_struct(priv->task);
45756 @@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
45760 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45761 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
45762 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
45763 + _mm->pax_flags & MF_PAX_SEGMEXEC))
45766 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
45768 struct mm_struct *mm = vma->vm_mm;
45769 @@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
45770 int flags = vma->vm_flags;
45771 unsigned long ino = 0;
45772 unsigned long long pgoff = 0;
45773 - unsigned long start;
45777 @@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
45778 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
45781 - /* We don't show the stack guard page in /proc/maps */
45782 - start = vma->vm_start;
45783 - if (vma->vm_flags & VM_GROWSDOWN)
45784 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
45785 - start += PAGE_SIZE;
45787 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
45789 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45790 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
45791 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
45796 flags & VM_READ ? 'r' : '-',
45797 flags & VM_WRITE ? 'w' : '-',
45798 flags & VM_EXEC ? 'x' : '-',
45799 flags & VM_MAYSHARE ? 's' : 'p',
45800 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45801 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
45805 MAJOR(dev), MINOR(dev), ino, &len);
45808 @@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
45811 pad_len_spaces(m, len);
45812 - seq_path(m, &file->f_path, "\n");
45813 + seq_path(m, &file->f_path, "\n\\");
45815 const char *name = arch_vma_name(vma);
45817 @@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
45818 if (vma->vm_start <= mm->brk &&
45819 vma->vm_end >= mm->start_brk) {
45821 - } else if (vma->vm_start <= mm->start_stack &&
45822 - vma->vm_end >= mm->start_stack) {
45823 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
45824 + (vma->vm_start <= mm->start_stack &&
45825 + vma->vm_end >= mm->start_stack)) {
45829 @@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
45832 memset(&mss, 0, sizeof mss);
45834 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
45835 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
45837 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45838 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
45841 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
45842 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
45843 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45847 show_map_vma(m, vma);
45849 @@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
45851 "KernelPageSize: %8lu kB\n"
45852 "MMUPageSize: %8lu kB\n",
45853 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
45854 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
45856 (vma->vm_end - vma->vm_start) >> 10,
45858 mss.resident >> 10,
45859 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
45860 mss.shared_clean >> 10,
45861 diff -urNp linux-2.6.32.43/fs/proc/task_nommu.c linux-2.6.32.43/fs/proc/task_nommu.c
45862 --- linux-2.6.32.43/fs/proc/task_nommu.c 2011-03-27 14:31:47.000000000 -0400
45863 +++ linux-2.6.32.43/fs/proc/task_nommu.c 2011-04-17 15:56:46.000000000 -0400
45864 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
45866 bytes += kobjsize(mm);
45868 - if (current->fs && current->fs->users > 1)
45869 + if (current->fs && atomic_read(¤t->fs->users) > 1)
45870 sbytes += kobjsize(current->fs);
45872 bytes += kobjsize(current->fs);
45873 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
45876 seq_printf(m, "%*c", len, ' ');
45877 - seq_path(m, &file->f_path, "");
45878 + seq_path(m, &file->f_path, "\n\\");
45882 diff -urNp linux-2.6.32.43/fs/readdir.c linux-2.6.32.43/fs/readdir.c
45883 --- linux-2.6.32.43/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400
45884 +++ linux-2.6.32.43/fs/readdir.c 2011-04-17 15:56:46.000000000 -0400
45886 #include <linux/security.h>
45887 #include <linux/syscalls.h>
45888 #include <linux/unistd.h>
45889 +#include <linux/namei.h>
45891 #include <asm/uaccess.h>
45893 @@ -67,6 +68,7 @@ struct old_linux_dirent {
45895 struct readdir_callback {
45896 struct old_linux_dirent __user * dirent;
45897 + struct file * file;
45901 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
45902 buf->result = -EOVERFLOW;
45906 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45910 dirent = buf->dirent;
45911 if (!access_ok(VERIFY_WRITE, dirent,
45912 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
45915 buf.dirent = dirent;
45918 error = vfs_readdir(file, fillonedir, &buf);
45920 @@ -142,6 +149,7 @@ struct linux_dirent {
45921 struct getdents_callback {
45922 struct linux_dirent __user * current_dir;
45923 struct linux_dirent __user * previous;
45924 + struct file * file;
45928 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
45929 buf->error = -EOVERFLOW;
45933 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45936 dirent = buf->previous;
45938 if (__put_user(offset, &dirent->d_off))
45939 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
45940 buf.previous = NULL;
45945 error = vfs_readdir(file, filldir, &buf);
45947 @@ -228,6 +241,7 @@ out:
45948 struct getdents_callback64 {
45949 struct linux_dirent64 __user * current_dir;
45950 struct linux_dirent64 __user * previous;
45951 + struct file *file;
45955 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
45956 buf->error = -EINVAL; /* only used if we fail.. */
45957 if (reclen > buf->count)
45960 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45963 dirent = buf->previous;
45965 if (__put_user(offset, &dirent->d_off))
45966 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
45968 buf.current_dir = dirent;
45969 buf.previous = NULL;
45974 diff -urNp linux-2.6.32.43/fs/reiserfs/dir.c linux-2.6.32.43/fs/reiserfs/dir.c
45975 --- linux-2.6.32.43/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400
45976 +++ linux-2.6.32.43/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400
45977 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
45978 struct reiserfs_dir_entry de;
45981 + pax_track_stack();
45983 reiserfs_write_lock(inode->i_sb);
45985 reiserfs_check_lock_depth(inode->i_sb, "readdir");
45986 diff -urNp linux-2.6.32.43/fs/reiserfs/do_balan.c linux-2.6.32.43/fs/reiserfs/do_balan.c
45987 --- linux-2.6.32.43/fs/reiserfs/do_balan.c 2011-03-27 14:31:47.000000000 -0400
45988 +++ linux-2.6.32.43/fs/reiserfs/do_balan.c 2011-04-17 15:56:46.000000000 -0400
45989 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
45993 - atomic_inc(&(fs_generation(tb->tb_sb)));
45994 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
45995 do_balance_starts(tb);
45997 /* balance leaf returns 0 except if combining L R and S into
45998 diff -urNp linux-2.6.32.43/fs/reiserfs/item_ops.c linux-2.6.32.43/fs/reiserfs/item_ops.c
45999 --- linux-2.6.32.43/fs/reiserfs/item_ops.c 2011-03-27 14:31:47.000000000 -0400
46000 +++ linux-2.6.32.43/fs/reiserfs/item_ops.c 2011-04-17 15:56:46.000000000 -0400
46001 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
46002 vi->vi_index, vi->vi_type, vi->vi_ih);
46005 -static struct item_operations stat_data_ops = {
46006 +static const struct item_operations stat_data_ops = {
46007 .bytes_number = sd_bytes_number,
46008 .decrement_key = sd_decrement_key,
46009 .is_left_mergeable = sd_is_left_mergeable,
46010 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
46011 vi->vi_index, vi->vi_type, vi->vi_ih);
46014 -static struct item_operations direct_ops = {
46015 +static const struct item_operations direct_ops = {
46016 .bytes_number = direct_bytes_number,
46017 .decrement_key = direct_decrement_key,
46018 .is_left_mergeable = direct_is_left_mergeable,
46019 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
46020 vi->vi_index, vi->vi_type, vi->vi_ih);
46023 -static struct item_operations indirect_ops = {
46024 +static const struct item_operations indirect_ops = {
46025 .bytes_number = indirect_bytes_number,
46026 .decrement_key = indirect_decrement_key,
46027 .is_left_mergeable = indirect_is_left_mergeable,
46028 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
46032 -static struct item_operations direntry_ops = {
46033 +static const struct item_operations direntry_ops = {
46034 .bytes_number = direntry_bytes_number,
46035 .decrement_key = direntry_decrement_key,
46036 .is_left_mergeable = direntry_is_left_mergeable,
46037 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
46038 "Invalid item type observed, run fsck ASAP");
46041 -static struct item_operations errcatch_ops = {
46042 +static const struct item_operations errcatch_ops = {
46043 errcatch_bytes_number,
46044 errcatch_decrement_key,
46045 errcatch_is_left_mergeable,
46046 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
46047 #error Item types must use disk-format assigned values.
46050 -struct item_operations *item_ops[TYPE_ANY + 1] = {
46051 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
46055 diff -urNp linux-2.6.32.43/fs/reiserfs/journal.c linux-2.6.32.43/fs/reiserfs/journal.c
46056 --- linux-2.6.32.43/fs/reiserfs/journal.c 2011-03-27 14:31:47.000000000 -0400
46057 +++ linux-2.6.32.43/fs/reiserfs/journal.c 2011-05-16 21:46:57.000000000 -0400
46058 @@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
46059 struct buffer_head *bh;
46062 + pax_track_stack();
46064 bh = __getblk(dev, block, bufsize);
46065 if (buffer_uptodate(bh))
46067 diff -urNp linux-2.6.32.43/fs/reiserfs/namei.c linux-2.6.32.43/fs/reiserfs/namei.c
46068 --- linux-2.6.32.43/fs/reiserfs/namei.c 2011-03-27 14:31:47.000000000 -0400
46069 +++ linux-2.6.32.43/fs/reiserfs/namei.c 2011-05-16 21:46:57.000000000 -0400
46070 @@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
46071 unsigned long savelink = 1;
46072 struct timespec ctime;
46074 + pax_track_stack();
46076 /* three balancings: (1) old name removal, (2) new name insertion
46077 and (3) maybe "save" link insertion
46078 stat data updates: (1) old directory,
46079 diff -urNp linux-2.6.32.43/fs/reiserfs/procfs.c linux-2.6.32.43/fs/reiserfs/procfs.c
46080 --- linux-2.6.32.43/fs/reiserfs/procfs.c 2011-03-27 14:31:47.000000000 -0400
46081 +++ linux-2.6.32.43/fs/reiserfs/procfs.c 2011-05-16 21:46:57.000000000 -0400
46082 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
46083 "SMALL_TAILS " : "NO_TAILS ",
46084 replay_only(sb) ? "REPLAY_ONLY " : "",
46085 convert_reiserfs(sb) ? "CONV " : "",
46086 - atomic_read(&r->s_generation_counter),
46087 + atomic_read_unchecked(&r->s_generation_counter),
46088 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
46089 SF(s_do_balance), SF(s_unneeded_left_neighbor),
46090 SF(s_good_search_by_key_reada), SF(s_bmaps),
46091 @@ -309,6 +309,8 @@ static int show_journal(struct seq_file
46092 struct journal_params *jp = &rs->s_v1.s_journal;
46093 char b[BDEVNAME_SIZE];
46095 + pax_track_stack();
46097 seq_printf(m, /* on-disk fields */
46098 "jp_journal_1st_block: \t%i\n"
46099 "jp_journal_dev: \t%s[%x]\n"
46100 diff -urNp linux-2.6.32.43/fs/reiserfs/stree.c linux-2.6.32.43/fs/reiserfs/stree.c
46101 --- linux-2.6.32.43/fs/reiserfs/stree.c 2011-03-27 14:31:47.000000000 -0400
46102 +++ linux-2.6.32.43/fs/reiserfs/stree.c 2011-05-16 21:46:57.000000000 -0400
46103 @@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
46107 + pax_track_stack();
46109 BUG_ON(!th->t_trans_id);
46111 init_tb_struct(th, &s_del_balance, sb, path,
46112 @@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
46114 int quota_cut_bytes = 0;
46116 + pax_track_stack();
46118 BUG_ON(!th->t_trans_id);
46120 le_key2cpu_key(&cpu_key, key);
46121 @@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
46122 int quota_cut_bytes;
46123 loff_t tail_pos = 0;
46125 + pax_track_stack();
46127 BUG_ON(!th->t_trans_id);
46129 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
46130 @@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
46134 + pax_track_stack();
46136 BUG_ON(!th->t_trans_id);
46138 fs_gen = get_generation(inode->i_sb);
46139 @@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
46141 int quota_bytes = 0;
46143 + pax_track_stack();
46145 BUG_ON(!th->t_trans_id);
46147 if (inode) { /* Do we count quotas for item? */
46148 diff -urNp linux-2.6.32.43/fs/reiserfs/super.c linux-2.6.32.43/fs/reiserfs/super.c
46149 --- linux-2.6.32.43/fs/reiserfs/super.c 2011-03-27 14:31:47.000000000 -0400
46150 +++ linux-2.6.32.43/fs/reiserfs/super.c 2011-05-16 21:46:57.000000000 -0400
46151 @@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
46152 {.option_name = NULL}
46155 + pax_track_stack();
46158 if (!options || !*options)
46159 /* use default configuration: create tails, journaling on, no
46160 diff -urNp linux-2.6.32.43/fs/select.c linux-2.6.32.43/fs/select.c
46161 --- linux-2.6.32.43/fs/select.c 2011-03-27 14:31:47.000000000 -0400
46162 +++ linux-2.6.32.43/fs/select.c 2011-05-16 21:46:57.000000000 -0400
46164 #include <linux/module.h>
46165 #include <linux/slab.h>
46166 #include <linux/poll.h>
46167 +#include <linux/security.h>
46168 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
46169 #include <linux/file.h>
46170 #include <linux/fdtable.h>
46171 @@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
46172 int retval, i, timed_out = 0;
46173 unsigned long slack = 0;
46175 + pax_track_stack();
46178 retval = max_select_fd(n, fds);
46180 @@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
46181 /* Allocate small arguments on the stack to save memory and be faster */
46182 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
46184 + pax_track_stack();
46189 @@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
46190 struct poll_list *walk = head;
46191 unsigned long todo = nfds;
46193 + pax_track_stack();
46195 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
46196 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
46199 diff -urNp linux-2.6.32.43/fs/seq_file.c linux-2.6.32.43/fs/seq_file.c
46200 --- linux-2.6.32.43/fs/seq_file.c 2011-03-27 14:31:47.000000000 -0400
46201 +++ linux-2.6.32.43/fs/seq_file.c 2011-08-05 20:33:55.000000000 -0400
46202 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
46206 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46207 + m->size = PAGE_SIZE;
46208 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46212 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
46216 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46218 + m->buf = kmalloc(m->size, GFP_KERNEL);
46219 return !m->buf ? -ENOMEM : -EAGAIN;
46222 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
46223 m->version = file->f_version;
46224 /* grab buffer if we didn't have one */
46226 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
46227 + m->size = PAGE_SIZE;
46228 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
46232 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
46236 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
46238 + m->buf = kmalloc(m->size, GFP_KERNEL);
46242 @@ -555,10 +559,10 @@ int single_open(struct file *file, int (
46246 - op->start = single_start;
46247 - op->next = single_next;
46248 - op->stop = single_stop;
46250 + *(void **)&op->start = single_start;
46251 + *(void **)&op->next = single_next;
46252 + *(void **)&op->stop = single_stop;
46253 + *(void **)&op->show = show;
46254 res = seq_open(file, op);
46256 ((struct seq_file *)file->private_data)->private = data;
46257 diff -urNp linux-2.6.32.43/fs/smbfs/proc.c linux-2.6.32.43/fs/smbfs/proc.c
46258 --- linux-2.6.32.43/fs/smbfs/proc.c 2011-03-27 14:31:47.000000000 -0400
46259 +++ linux-2.6.32.43/fs/smbfs/proc.c 2011-08-05 20:33:55.000000000 -0400
46260 @@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
46263 if (server->local_nls != NULL && server->remote_nls != NULL)
46264 - server->ops->convert = convert_cp;
46265 + *(void **)&server->ops->convert = convert_cp;
46267 - server->ops->convert = convert_memcpy;
46268 + *(void **)&server->ops->convert = convert_memcpy;
46270 smb_unlock_server(server);
46272 @@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
46274 /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
46275 if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
46276 - server->ops->getattr = smb_proc_getattr_core;
46277 + *(void **)&server->ops->getattr = smb_proc_getattr_core;
46278 } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
46279 - server->ops->getattr = smb_proc_getattr_ff;
46280 + *(void **)&server->ops->getattr = smb_proc_getattr_ff;
46283 /* Decode server capabilities */
46284 @@ -3439,7 +3439,7 @@ out:
46286 install_ops(struct smb_ops *dst, struct smb_ops *src)
46288 - memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
46289 + memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
46293 diff -urNp linux-2.6.32.43/fs/smbfs/symlink.c linux-2.6.32.43/fs/smbfs/symlink.c
46294 --- linux-2.6.32.43/fs/smbfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
46295 +++ linux-2.6.32.43/fs/smbfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
46296 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
46298 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
46300 - char *s = nd_get_link(nd);
46301 + const char *s = nd_get_link(nd);
46305 diff -urNp linux-2.6.32.43/fs/splice.c linux-2.6.32.43/fs/splice.c
46306 --- linux-2.6.32.43/fs/splice.c 2011-03-27 14:31:47.000000000 -0400
46307 +++ linux-2.6.32.43/fs/splice.c 2011-05-16 21:46:57.000000000 -0400
46308 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
46312 - if (!pipe->readers) {
46313 + if (!atomic_read(&pipe->readers)) {
46314 send_sig(SIGPIPE, current, 0);
46317 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
46321 - pipe->waiting_writers++;
46322 + atomic_inc(&pipe->waiting_writers);
46324 - pipe->waiting_writers--;
46325 + atomic_dec(&pipe->waiting_writers);
46329 @@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
46330 .spd_release = spd_release_page,
46333 + pax_track_stack();
46335 index = *ppos >> PAGE_CACHE_SHIFT;
46336 loff = *ppos & ~PAGE_CACHE_MASK;
46337 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
46338 @@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
46341 /* The cast to a user pointer is valid due to the set_fs() */
46342 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
46343 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
46347 @@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
46350 /* The cast to a user pointer is valid due to the set_fs() */
46351 - res = vfs_write(file, (const char __user *)buf, count, &pos);
46352 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
46356 @@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
46357 .spd_release = spd_release_page,
46360 + pax_track_stack();
46362 index = *ppos >> PAGE_CACHE_SHIFT;
46363 offset = *ppos & ~PAGE_CACHE_MASK;
46364 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
46365 @@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
46368 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
46369 - vec[i].iov_base = (void __user *) page_address(page);
46370 + vec[i].iov_base = (__force void __user *) page_address(page);
46371 vec[i].iov_len = this_len;
46374 @@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
46375 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
46377 while (!pipe->nrbufs) {
46378 - if (!pipe->writers)
46379 + if (!atomic_read(&pipe->writers))
46382 - if (!pipe->waiting_writers && sd->num_spliced)
46383 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
46386 if (sd->flags & SPLICE_F_NONBLOCK)
46387 @@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
46388 * out of the pipe right after the splice_to_pipe(). So set
46389 * PIPE_READERS appropriately.
46391 - pipe->readers = 1;
46392 + atomic_set(&pipe->readers, 1);
46394 current->splice_pipe = pipe;
46396 @@ -1592,6 +1596,8 @@ static long vmsplice_to_pipe(struct file
46397 .spd_release = spd_release_page,
46400 + pax_track_stack();
46402 pipe = pipe_info(file->f_path.dentry->d_inode);
46405 @@ -1700,9 +1706,9 @@ static int ipipe_prep(struct pipe_inode_
46406 ret = -ERESTARTSYS;
46409 - if (!pipe->writers)
46410 + if (!atomic_read(&pipe->writers))
46412 - if (!pipe->waiting_writers) {
46413 + if (!atomic_read(&pipe->waiting_writers)) {
46414 if (flags & SPLICE_F_NONBLOCK) {
46417 @@ -1734,7 +1740,7 @@ static int opipe_prep(struct pipe_inode_
46420 while (pipe->nrbufs >= PIPE_BUFFERS) {
46421 - if (!pipe->readers) {
46422 + if (!atomic_read(&pipe->readers)) {
46423 send_sig(SIGPIPE, current, 0);
46426 @@ -1747,9 +1753,9 @@ static int opipe_prep(struct pipe_inode_
46427 ret = -ERESTARTSYS;
46430 - pipe->waiting_writers++;
46431 + atomic_inc(&pipe->waiting_writers);
46433 - pipe->waiting_writers--;
46434 + atomic_dec(&pipe->waiting_writers);
46438 @@ -1785,14 +1791,14 @@ retry:
46439 pipe_double_lock(ipipe, opipe);
46442 - if (!opipe->readers) {
46443 + if (!atomic_read(&opipe->readers)) {
46444 send_sig(SIGPIPE, current, 0);
46450 - if (!ipipe->nrbufs && !ipipe->writers)
46451 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
46455 @@ -1892,7 +1898,7 @@ static int link_pipe(struct pipe_inode_i
46456 pipe_double_lock(ipipe, opipe);
46459 - if (!opipe->readers) {
46460 + if (!atomic_read(&opipe->readers)) {
46461 send_sig(SIGPIPE, current, 0);
46464 @@ -1937,7 +1943,7 @@ static int link_pipe(struct pipe_inode_i
46465 * return EAGAIN if we have the potential of some data in the
46466 * future, otherwise just return 0
46468 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
46469 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
46472 pipe_unlock(ipipe);
46473 diff -urNp linux-2.6.32.43/fs/sysfs/file.c linux-2.6.32.43/fs/sysfs/file.c
46474 --- linux-2.6.32.43/fs/sysfs/file.c 2011-03-27 14:31:47.000000000 -0400
46475 +++ linux-2.6.32.43/fs/sysfs/file.c 2011-05-04 17:56:20.000000000 -0400
46476 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
46478 struct sysfs_open_dirent {
46481 + atomic_unchecked_t event;
46482 wait_queue_head_t poll;
46483 struct list_head buffers; /* goes through sysfs_buffer.list */
46485 @@ -53,7 +53,7 @@ struct sysfs_buffer {
46489 - struct sysfs_ops * ops;
46490 + const struct sysfs_ops * ops;
46491 struct mutex mutex;
46492 int needs_read_fill;
46494 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
46496 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
46497 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
46498 - struct sysfs_ops * ops = buffer->ops;
46499 + const struct sysfs_ops * ops = buffer->ops;
46503 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
46504 if (!sysfs_get_active_two(attr_sd))
46507 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
46508 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
46509 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
46511 sysfs_put_active_two(attr_sd);
46512 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
46514 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
46515 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
46516 - struct sysfs_ops * ops = buffer->ops;
46517 + const struct sysfs_ops * ops = buffer->ops;
46520 /* need attr_sd for attr and ops, its parent for kobj */
46521 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
46524 atomic_set(&new_od->refcnt, 0);
46525 - atomic_set(&new_od->event, 1);
46526 + atomic_set_unchecked(&new_od->event, 1);
46527 init_waitqueue_head(&new_od->poll);
46528 INIT_LIST_HEAD(&new_od->buffers);
46530 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
46531 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
46532 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
46533 struct sysfs_buffer *buffer;
46534 - struct sysfs_ops *ops;
46535 + const struct sysfs_ops *ops;
46536 int error = -EACCES;
46539 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
46541 sysfs_put_active_two(attr_sd);
46543 - if (buffer->event != atomic_read(&od->event))
46544 + if (buffer->event != atomic_read_unchecked(&od->event))
46547 return DEFAULT_POLLMASK;
46548 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
46550 od = sd->s_attr.open;
46552 - atomic_inc(&od->event);
46553 + atomic_inc_unchecked(&od->event);
46554 wake_up_interruptible(&od->poll);
46557 diff -urNp linux-2.6.32.43/fs/sysfs/mount.c linux-2.6.32.43/fs/sysfs/mount.c
46558 --- linux-2.6.32.43/fs/sysfs/mount.c 2011-03-27 14:31:47.000000000 -0400
46559 +++ linux-2.6.32.43/fs/sysfs/mount.c 2011-04-17 15:56:46.000000000 -0400
46560 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
46562 .s_count = ATOMIC_INIT(1),
46563 .s_flags = SYSFS_DIR,
46564 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
46565 + .s_mode = S_IFDIR | S_IRWXU,
46567 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
46572 diff -urNp linux-2.6.32.43/fs/sysfs/symlink.c linux-2.6.32.43/fs/sysfs/symlink.c
46573 --- linux-2.6.32.43/fs/sysfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
46574 +++ linux-2.6.32.43/fs/sysfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
46575 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
46577 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
46579 - char *page = nd_get_link(nd);
46580 + const char *page = nd_get_link(nd);
46582 free_page((unsigned long)page);
46584 diff -urNp linux-2.6.32.43/fs/udf/balloc.c linux-2.6.32.43/fs/udf/balloc.c
46585 --- linux-2.6.32.43/fs/udf/balloc.c 2011-03-27 14:31:47.000000000 -0400
46586 +++ linux-2.6.32.43/fs/udf/balloc.c 2011-04-17 15:56:46.000000000 -0400
46587 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
46589 mutex_lock(&sbi->s_alloc_mutex);
46590 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
46591 - if (bloc->logicalBlockNum < 0 ||
46592 - (bloc->logicalBlockNum + count) >
46593 - partmap->s_partition_len) {
46594 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
46595 udf_debug("%d < %d || %d + %d > %d\n",
46596 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
46597 count, partmap->s_partition_len);
46598 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
46600 mutex_lock(&sbi->s_alloc_mutex);
46601 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
46602 - if (bloc->logicalBlockNum < 0 ||
46603 - (bloc->logicalBlockNum + count) >
46604 - partmap->s_partition_len) {
46605 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
46606 udf_debug("%d < %d || %d + %d > %d\n",
46607 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
46608 partmap->s_partition_len);
46609 diff -urNp linux-2.6.32.43/fs/udf/inode.c linux-2.6.32.43/fs/udf/inode.c
46610 --- linux-2.6.32.43/fs/udf/inode.c 2011-03-27 14:31:47.000000000 -0400
46611 +++ linux-2.6.32.43/fs/udf/inode.c 2011-05-16 21:46:57.000000000 -0400
46612 @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
46613 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
46616 + pax_track_stack();
46618 prev_epos.offset = udf_file_entry_alloc_offset(inode);
46619 prev_epos.block = iinfo->i_location;
46620 prev_epos.bh = NULL;
46621 diff -urNp linux-2.6.32.43/fs/udf/misc.c linux-2.6.32.43/fs/udf/misc.c
46622 --- linux-2.6.32.43/fs/udf/misc.c 2011-03-27 14:31:47.000000000 -0400
46623 +++ linux-2.6.32.43/fs/udf/misc.c 2011-04-23 12:56:11.000000000 -0400
46624 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
46626 u8 udf_tag_checksum(const struct tag *t)
46628 - u8 *data = (u8 *)t;
46629 + const u8 *data = (const u8 *)t;
46632 for (i = 0; i < sizeof(struct tag); ++i)
46633 diff -urNp linux-2.6.32.43/fs/utimes.c linux-2.6.32.43/fs/utimes.c
46634 --- linux-2.6.32.43/fs/utimes.c 2011-03-27 14:31:47.000000000 -0400
46635 +++ linux-2.6.32.43/fs/utimes.c 2011-04-17 15:56:46.000000000 -0400
46637 #include <linux/compiler.h>
46638 #include <linux/file.h>
46639 #include <linux/fs.h>
46640 +#include <linux/security.h>
46641 #include <linux/linkage.h>
46642 #include <linux/mount.h>
46643 #include <linux/namei.h>
46644 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
46645 goto mnt_drop_write_and_out;
46649 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
46651 + goto mnt_drop_write_and_out;
46654 mutex_lock(&inode->i_mutex);
46655 error = notify_change(path->dentry, &newattrs);
46656 mutex_unlock(&inode->i_mutex);
46657 diff -urNp linux-2.6.32.43/fs/xattr_acl.c linux-2.6.32.43/fs/xattr_acl.c
46658 --- linux-2.6.32.43/fs/xattr_acl.c 2011-03-27 14:31:47.000000000 -0400
46659 +++ linux-2.6.32.43/fs/xattr_acl.c 2011-04-17 15:56:46.000000000 -0400
46662 posix_acl_from_xattr(const void *value, size_t size)
46664 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
46665 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
46666 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
46667 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
46669 struct posix_acl *acl;
46670 struct posix_acl_entry *acl_e;
46671 diff -urNp linux-2.6.32.43/fs/xattr.c linux-2.6.32.43/fs/xattr.c
46672 --- linux-2.6.32.43/fs/xattr.c 2011-03-27 14:31:47.000000000 -0400
46673 +++ linux-2.6.32.43/fs/xattr.c 2011-04-17 15:56:46.000000000 -0400
46674 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
46675 * Extended attribute SET operations
46678 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
46679 +setxattr(struct path *path, const char __user *name, const void __user *value,
46680 size_t size, int flags)
46683 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
46684 return PTR_ERR(kvalue);
46687 - error = vfs_setxattr(d, kname, kvalue, size, flags);
46688 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
46693 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
46698 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
46700 error = mnt_want_write(path.mnt);
46702 - error = setxattr(path.dentry, name, value, size, flags);
46703 + error = setxattr(&path, name, value, size, flags);
46704 mnt_drop_write(path.mnt);
46707 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
46709 error = mnt_want_write(path.mnt);
46711 - error = setxattr(path.dentry, name, value, size, flags);
46712 + error = setxattr(&path, name, value, size, flags);
46713 mnt_drop_write(path.mnt);
46716 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
46717 const void __user *,value, size_t, size, int, flags)
46720 - struct dentry *dentry;
46721 int error = -EBADF;
46726 - dentry = f->f_path.dentry;
46727 - audit_inode(NULL, dentry);
46728 + audit_inode(NULL, f->f_path.dentry);
46729 error = mnt_want_write_file(f);
46731 - error = setxattr(dentry, name, value, size, flags);
46732 + error = setxattr(&f->f_path, name, value, size, flags);
46733 mnt_drop_write(f->f_path.mnt);
46736 diff -urNp linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl32.c
46737 --- linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-27 14:31:47.000000000 -0400
46738 +++ linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:56:46.000000000 -0400
46739 @@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
46740 xfs_fsop_geom_t fsgeo;
46743 + memset(&fsgeo, 0, sizeof(fsgeo));
46744 error = xfs_fs_geometry(mp, &fsgeo, 3);
46747 diff -urNp linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl.c
46748 --- linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 17:00:52.000000000 -0400
46749 +++ linux-2.6.32.43/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:07:09.000000000 -0400
46750 @@ -134,7 +134,7 @@ xfs_find_handle(
46754 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
46755 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
46756 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
46759 @@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
46760 if (IS_ERR(dentry))
46761 return PTR_ERR(dentry);
46763 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
46764 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
46768 @@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
46772 - xfs_fsop_geom_t fsgeo;
46773 + xfs_fsop_geom_t fsgeo;
46776 error = xfs_fs_geometry(mp, &fsgeo, 3);
46777 diff -urNp linux-2.6.32.43/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.43/fs/xfs/linux-2.6/xfs_iops.c
46778 --- linux-2.6.32.43/fs/xfs/linux-2.6/xfs_iops.c 2011-03-27 14:31:47.000000000 -0400
46779 +++ linux-2.6.32.43/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:56:46.000000000 -0400
46780 @@ -468,7 +468,7 @@ xfs_vn_put_link(
46781 struct nameidata *nd,
46784 - char *s = nd_get_link(nd);
46785 + const char *s = nd_get_link(nd);
46789 diff -urNp linux-2.6.32.43/fs/xfs/xfs_bmap.c linux-2.6.32.43/fs/xfs/xfs_bmap.c
46790 --- linux-2.6.32.43/fs/xfs/xfs_bmap.c 2011-03-27 14:31:47.000000000 -0400
46791 +++ linux-2.6.32.43/fs/xfs/xfs_bmap.c 2011-04-17 15:56:46.000000000 -0400
46792 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
46796 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
46797 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
46800 #if defined(XFS_RW_TRACE)
46801 diff -urNp linux-2.6.32.43/fs/xfs/xfs_dir2_sf.c linux-2.6.32.43/fs/xfs/xfs_dir2_sf.c
46802 --- linux-2.6.32.43/fs/xfs/xfs_dir2_sf.c 2011-03-27 14:31:47.000000000 -0400
46803 +++ linux-2.6.32.43/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:07:30.000000000 -0400
46804 @@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
46807 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
46808 - if (filldir(dirent, sfep->name, sfep->namelen,
46809 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
46810 + char name[sfep->namelen];
46811 + memcpy(name, sfep->name, sfep->namelen);
46812 + if (filldir(dirent, name, sfep->namelen,
46813 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
46814 + *offset = off & 0x7fffffff;
46817 + } else if (filldir(dirent, sfep->name, sfep->namelen,
46818 off & 0x7fffffff, ino, DT_UNKNOWN)) {
46819 *offset = off & 0x7fffffff;
46821 diff -urNp linux-2.6.32.43/grsecurity/gracl_alloc.c linux-2.6.32.43/grsecurity/gracl_alloc.c
46822 --- linux-2.6.32.43/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
46823 +++ linux-2.6.32.43/grsecurity/gracl_alloc.c 2011-04-17 15:56:46.000000000 -0400
46825 +#include <linux/kernel.h>
46826 +#include <linux/mm.h>
46827 +#include <linux/slab.h>
46828 +#include <linux/vmalloc.h>
46829 +#include <linux/gracl.h>
46830 +#include <linux/grsecurity.h>
46832 +static unsigned long alloc_stack_next = 1;
46833 +static unsigned long alloc_stack_size = 1;
46834 +static void **alloc_stack;
46836 +static __inline__ int
46839 + if (alloc_stack_next == 1)
46842 + kfree(alloc_stack[alloc_stack_next - 2]);
46844 + alloc_stack_next--;
46849 +static __inline__ int
46850 +alloc_push(void *buf)
46852 + if (alloc_stack_next >= alloc_stack_size)
46855 + alloc_stack[alloc_stack_next - 1] = buf;
46857 + alloc_stack_next++;
46863 +acl_alloc(unsigned long len)
46865 + void *ret = NULL;
46867 + if (!len || len > PAGE_SIZE)
46870 + ret = kmalloc(len, GFP_KERNEL);
46873 + if (alloc_push(ret)) {
46884 +acl_alloc_num(unsigned long num, unsigned long len)
46886 + if (!len || (num > (PAGE_SIZE / len)))
46889 + return acl_alloc(num * len);
46893 +acl_free_all(void)
46895 + if (gr_acl_is_enabled() || !alloc_stack)
46898 + while (alloc_pop()) ;
46900 + if (alloc_stack) {
46901 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
46902 + kfree(alloc_stack);
46904 + vfree(alloc_stack);
46907 + alloc_stack = NULL;
46908 + alloc_stack_size = 1;
46909 + alloc_stack_next = 1;
46915 +acl_alloc_stack_init(unsigned long size)
46917 + if ((size * sizeof (void *)) <= PAGE_SIZE)
46919 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
46921 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
46923 + alloc_stack_size = size;
46925 + if (!alloc_stack)
46930 diff -urNp linux-2.6.32.43/grsecurity/gracl.c linux-2.6.32.43/grsecurity/gracl.c
46931 --- linux-2.6.32.43/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
46932 +++ linux-2.6.32.43/grsecurity/gracl.c 2011-07-14 20:02:48.000000000 -0400
46934 +#include <linux/kernel.h>
46935 +#include <linux/module.h>
46936 +#include <linux/sched.h>
46937 +#include <linux/mm.h>
46938 +#include <linux/file.h>
46939 +#include <linux/fs.h>
46940 +#include <linux/namei.h>
46941 +#include <linux/mount.h>
46942 +#include <linux/tty.h>
46943 +#include <linux/proc_fs.h>
46944 +#include <linux/smp_lock.h>
46945 +#include <linux/slab.h>
46946 +#include <linux/vmalloc.h>
46947 +#include <linux/types.h>
46948 +#include <linux/sysctl.h>
46949 +#include <linux/netdevice.h>
46950 +#include <linux/ptrace.h>
46951 +#include <linux/gracl.h>
46952 +#include <linux/gralloc.h>
46953 +#include <linux/grsecurity.h>
46954 +#include <linux/grinternal.h>
46955 +#include <linux/pid_namespace.h>
46956 +#include <linux/fdtable.h>
46957 +#include <linux/percpu.h>
46959 +#include <asm/uaccess.h>
46960 +#include <asm/errno.h>
46961 +#include <asm/mman.h>
46963 +static struct acl_role_db acl_role_set;
46964 +static struct name_db name_set;
46965 +static struct inodev_db inodev_set;
46967 +/* for keeping track of userspace pointers used for subjects, so we
46968 + can share references in the kernel as well
46971 +static struct dentry *real_root;
46972 +static struct vfsmount *real_root_mnt;
46974 +static struct acl_subj_map_db subj_map_set;
46976 +static struct acl_role_label *default_role;
46978 +static struct acl_role_label *role_list;
46980 +static u16 acl_sp_role_value;
46982 +extern char *gr_shared_page[4];
46983 +static DEFINE_MUTEX(gr_dev_mutex);
46984 +DEFINE_RWLOCK(gr_inode_lock);
46986 +struct gr_arg *gr_usermode;
46988 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
46990 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
46991 +extern void gr_clear_learn_entries(void);
46993 +#ifdef CONFIG_GRKERNSEC_RESLOG
46994 +extern void gr_log_resource(const struct task_struct *task,
46995 + const int res, const unsigned long wanted, const int gt);
46998 +unsigned char *gr_system_salt;
46999 +unsigned char *gr_system_sum;
47001 +static struct sprole_pw **acl_special_roles = NULL;
47002 +static __u16 num_sprole_pws = 0;
47004 +static struct acl_role_label *kernel_role = NULL;
47006 +static unsigned int gr_auth_attempts = 0;
47007 +static unsigned long gr_auth_expires = 0UL;
47010 +extern struct vfsmount *sock_mnt;
47012 +extern struct vfsmount *pipe_mnt;
47013 +extern struct vfsmount *shm_mnt;
47014 +#ifdef CONFIG_HUGETLBFS
47015 +extern struct vfsmount *hugetlbfs_vfsmount;
47018 +static struct acl_object_label *fakefs_obj_rw;
47019 +static struct acl_object_label *fakefs_obj_rwx;
47021 +extern int gr_init_uidset(void);
47022 +extern void gr_free_uidset(void);
47023 +extern void gr_remove_uid(uid_t uid);
47024 +extern int gr_find_uid(uid_t uid);
47027 +gr_acl_is_enabled(void)
47029 + return (gr_status & GR_READY);
47032 +#ifdef CONFIG_BTRFS_FS
47033 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
47034 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
47037 +static inline dev_t __get_dev(const struct dentry *dentry)
47039 +#ifdef CONFIG_BTRFS_FS
47040 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
47041 + return get_btrfs_dev_from_inode(dentry->d_inode);
47044 + return dentry->d_inode->i_sb->s_dev;
47047 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
47049 + return __get_dev(dentry);
47052 +static char gr_task_roletype_to_char(struct task_struct *task)
47054 + switch (task->role->roletype &
47055 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
47056 + GR_ROLE_SPECIAL)) {
47057 + case GR_ROLE_DEFAULT:
47059 + case GR_ROLE_USER:
47061 + case GR_ROLE_GROUP:
47063 + case GR_ROLE_SPECIAL:
47070 +char gr_roletype_to_char(void)
47072 + return gr_task_roletype_to_char(current);
47076 +gr_acl_tpe_check(void)
47078 + if (unlikely(!(gr_status & GR_READY)))
47080 + if (current->role->roletype & GR_ROLE_TPE)
47087 +gr_handle_rawio(const struct inode *inode)
47089 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
47090 + if (inode && S_ISBLK(inode->i_mode) &&
47091 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
47092 + !capable(CAP_SYS_RAWIO))
47099 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
47101 + if (likely(lena != lenb))
47104 + return !memcmp(a, b, lena);
47107 +/* this must be called with vfsmount_lock and dcache_lock held */
47109 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
47110 + struct dentry *root, struct vfsmount *rootmnt,
47111 + char *buffer, int buflen)
47113 + char * end = buffer+buflen;
47122 + /* Get '/' right */
47127 + struct dentry * parent;
47129 + if (dentry == root && vfsmnt == rootmnt)
47131 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
47132 + /* Global root? */
47133 + if (vfsmnt->mnt_parent == vfsmnt)
47134 + goto global_root;
47135 + dentry = vfsmnt->mnt_mountpoint;
47136 + vfsmnt = vfsmnt->mnt_parent;
47139 + parent = dentry->d_parent;
47140 + prefetch(parent);
47141 + namelen = dentry->d_name.len;
47142 + buflen -= namelen + 1;
47146 + memcpy(end, dentry->d_name.name, namelen);
47156 + namelen = dentry->d_name.len;
47157 + buflen -= namelen;
47160 + retval -= namelen-1; /* hit the slash */
47161 + memcpy(retval, dentry->d_name.name, namelen);
47164 + retval = ERR_PTR(-ENAMETOOLONG);
47169 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
47170 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
47174 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
47175 + if (unlikely(IS_ERR(retval)))
47176 + retval = strcpy(buf, "<path too long>");
47177 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
47178 + retval[1] = '\0';
47184 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47185 + char *buf, int buflen)
47189 + /* we can use real_root, real_root_mnt, because this is only called
47190 + by the RBAC system */
47191 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
47197 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
47198 + char *buf, int buflen)
47201 + struct dentry *root;
47202 + struct vfsmount *rootmnt;
47203 + struct task_struct *reaper = &init_task;
47205 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
47206 + read_lock(&reaper->fs->lock);
47207 + root = dget(reaper->fs->root.dentry);
47208 + rootmnt = mntget(reaper->fs->root.mnt);
47209 + read_unlock(&reaper->fs->lock);
47211 + spin_lock(&dcache_lock);
47212 + spin_lock(&vfsmount_lock);
47213 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
47214 + spin_unlock(&vfsmount_lock);
47215 + spin_unlock(&dcache_lock);
47223 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
47226 + spin_lock(&dcache_lock);
47227 + spin_lock(&vfsmount_lock);
47228 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47230 + spin_unlock(&vfsmount_lock);
47231 + spin_unlock(&dcache_lock);
47236 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
47238 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
47243 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
47245 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47250 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
47252 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
47257 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
47259 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
47264 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
47266 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
47271 +to_gr_audit(const __u32 reqmode)
47273 + /* masks off auditable permission flags, then shifts them to create
47274 + auditing flags, and adds the special case of append auditing if
47275 + we're requesting write */
47276 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
47279 +struct acl_subject_label *
47280 +lookup_subject_map(const struct acl_subject_label *userp)
47282 + unsigned int index = shash(userp, subj_map_set.s_size);
47283 + struct subject_map *match;
47285 + match = subj_map_set.s_hash[index];
47287 + while (match && match->user != userp)
47288 + match = match->next;
47290 + if (match != NULL)
47291 + return match->kernel;
47297 +insert_subj_map_entry(struct subject_map *subjmap)
47299 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
47300 + struct subject_map **curr;
47302 + subjmap->prev = NULL;
47304 + curr = &subj_map_set.s_hash[index];
47305 + if (*curr != NULL)
47306 + (*curr)->prev = subjmap;
47308 + subjmap->next = *curr;
47314 +static struct acl_role_label *
47315 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
47318 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
47319 + struct acl_role_label *match;
47320 + struct role_allowed_ip *ipp;
47322 + u32 curr_ip = task->signal->curr_ip;
47324 + task->signal->saved_ip = curr_ip;
47326 + match = acl_role_set.r_hash[index];
47329 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
47330 + for (x = 0; x < match->domain_child_num; x++) {
47331 + if (match->domain_children[x] == uid)
47334 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
47336 + match = match->next;
47339 + if (match == NULL) {
47341 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
47342 + match = acl_role_set.r_hash[index];
47345 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
47346 + for (x = 0; x < match->domain_child_num; x++) {
47347 + if (match->domain_children[x] == gid)
47350 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
47352 + match = match->next;
47355 + if (match == NULL)
47356 + match = default_role;
47357 + if (match->allowed_ips == NULL)
47360 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47362 + ((ntohl(curr_ip) & ipp->netmask) ==
47363 + (ntohl(ipp->addr) & ipp->netmask)))
47366 + match = default_role;
47368 + } else if (match->allowed_ips == NULL) {
47371 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
47373 + ((ntohl(curr_ip) & ipp->netmask) ==
47374 + (ntohl(ipp->addr) & ipp->netmask)))
47383 +struct acl_subject_label *
47384 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
47385 + const struct acl_role_label *role)
47387 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47388 + struct acl_subject_label *match;
47390 + match = role->subj_hash[index];
47392 + while (match && (match->inode != ino || match->device != dev ||
47393 + (match->mode & GR_DELETED))) {
47394 + match = match->next;
47397 + if (match && !(match->mode & GR_DELETED))
47403 +struct acl_subject_label *
47404 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
47405 + const struct acl_role_label *role)
47407 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
47408 + struct acl_subject_label *match;
47410 + match = role->subj_hash[index];
47412 + while (match && (match->inode != ino || match->device != dev ||
47413 + !(match->mode & GR_DELETED))) {
47414 + match = match->next;
47417 + if (match && (match->mode & GR_DELETED))
47423 +static struct acl_object_label *
47424 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
47425 + const struct acl_subject_label *subj)
47427 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47428 + struct acl_object_label *match;
47430 + match = subj->obj_hash[index];
47432 + while (match && (match->inode != ino || match->device != dev ||
47433 + (match->mode & GR_DELETED))) {
47434 + match = match->next;
47437 + if (match && !(match->mode & GR_DELETED))
47443 +static struct acl_object_label *
47444 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
47445 + const struct acl_subject_label *subj)
47447 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
47448 + struct acl_object_label *match;
47450 + match = subj->obj_hash[index];
47452 + while (match && (match->inode != ino || match->device != dev ||
47453 + !(match->mode & GR_DELETED))) {
47454 + match = match->next;
47457 + if (match && (match->mode & GR_DELETED))
47460 + match = subj->obj_hash[index];
47462 + while (match && (match->inode != ino || match->device != dev ||
47463 + (match->mode & GR_DELETED))) {
47464 + match = match->next;
47467 + if (match && !(match->mode & GR_DELETED))
47473 +static struct name_entry *
47474 +lookup_name_entry(const char *name)
47476 + unsigned int len = strlen(name);
47477 + unsigned int key = full_name_hash(name, len);
47478 + unsigned int index = key % name_set.n_size;
47479 + struct name_entry *match;
47481 + match = name_set.n_hash[index];
47483 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
47484 + match = match->next;
47489 +static struct name_entry *
47490 +lookup_name_entry_create(const char *name)
47492 + unsigned int len = strlen(name);
47493 + unsigned int key = full_name_hash(name, len);
47494 + unsigned int index = key % name_set.n_size;
47495 + struct name_entry *match;
47497 + match = name_set.n_hash[index];
47499 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47500 + !match->deleted))
47501 + match = match->next;
47503 + if (match && match->deleted)
47506 + match = name_set.n_hash[index];
47508 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
47510 + match = match->next;
47512 + if (match && !match->deleted)
47518 +static struct inodev_entry *
47519 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
47521 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
47522 + struct inodev_entry *match;
47524 + match = inodev_set.i_hash[index];
47526 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
47527 + match = match->next;
47533 +insert_inodev_entry(struct inodev_entry *entry)
47535 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
47536 + inodev_set.i_size);
47537 + struct inodev_entry **curr;
47539 + entry->prev = NULL;
47541 + curr = &inodev_set.i_hash[index];
47542 + if (*curr != NULL)
47543 + (*curr)->prev = entry;
47545 + entry->next = *curr;
47552 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
47554 + unsigned int index =
47555 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
47556 + struct acl_role_label **curr;
47557 + struct acl_role_label *tmp;
47559 + curr = &acl_role_set.r_hash[index];
47561 + /* if role was already inserted due to domains and already has
47562 + a role in the same bucket as it attached, then we need to
47563 + combine these two buckets
47565 + if (role->next) {
47566 + tmp = role->next;
47567 + while (tmp->next)
47569 + tmp->next = *curr;
47571 + role->next = *curr;
47578 +insert_acl_role_label(struct acl_role_label *role)
47582 + if (role_list == NULL) {
47583 + role_list = role;
47584 + role->prev = NULL;
47586 + role->prev = role_list;
47587 + role_list = role;
47590 + /* used for hash chains */
47591 + role->next = NULL;
47593 + if (role->roletype & GR_ROLE_DOMAIN) {
47594 + for (i = 0; i < role->domain_child_num; i++)
47595 + __insert_acl_role_label(role, role->domain_children[i]);
47597 + __insert_acl_role_label(role, role->uidgid);
47601 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
47603 + struct name_entry **curr, *nentry;
47604 + struct inodev_entry *ientry;
47605 + unsigned int len = strlen(name);
47606 + unsigned int key = full_name_hash(name, len);
47607 + unsigned int index = key % name_set.n_size;
47609 + curr = &name_set.n_hash[index];
47611 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
47612 + curr = &((*curr)->next);
47614 + if (*curr != NULL)
47617 + nentry = acl_alloc(sizeof (struct name_entry));
47618 + if (nentry == NULL)
47620 + ientry = acl_alloc(sizeof (struct inodev_entry));
47621 + if (ientry == NULL)
47623 + ientry->nentry = nentry;
47625 + nentry->key = key;
47626 + nentry->name = name;
47627 + nentry->inode = inode;
47628 + nentry->device = device;
47629 + nentry->len = len;
47630 + nentry->deleted = deleted;
47632 + nentry->prev = NULL;
47633 + curr = &name_set.n_hash[index];
47634 + if (*curr != NULL)
47635 + (*curr)->prev = nentry;
47636 + nentry->next = *curr;
47639 + /* insert us into the table searchable by inode/dev */
47640 + insert_inodev_entry(ientry);
47646 +insert_acl_obj_label(struct acl_object_label *obj,
47647 + struct acl_subject_label *subj)
47649 + unsigned int index =
47650 + fhash(obj->inode, obj->device, subj->obj_hash_size);
47651 + struct acl_object_label **curr;
47654 + obj->prev = NULL;
47656 + curr = &subj->obj_hash[index];
47657 + if (*curr != NULL)
47658 + (*curr)->prev = obj;
47660 + obj->next = *curr;
47667 +insert_acl_subj_label(struct acl_subject_label *obj,
47668 + struct acl_role_label *role)
47670 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
47671 + struct acl_subject_label **curr;
47673 + obj->prev = NULL;
47675 + curr = &role->subj_hash[index];
47676 + if (*curr != NULL)
47677 + (*curr)->prev = obj;
47679 + obj->next = *curr;
47685 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
47688 +create_table(__u32 * len, int elementsize)
47690 + unsigned int table_sizes[] = {
47691 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
47692 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
47693 + 4194301, 8388593, 16777213, 33554393, 67108859
47695 + void *newtable = NULL;
47696 + unsigned int pwr = 0;
47698 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
47699 + table_sizes[pwr] <= *len)
47702 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
47705 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
47707 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
47709 + newtable = vmalloc(table_sizes[pwr] * elementsize);
47711 + *len = table_sizes[pwr];
47717 +init_variables(const struct gr_arg *arg)
47719 + struct task_struct *reaper = &init_task;
47720 + unsigned int stacksize;
47722 + subj_map_set.s_size = arg->role_db.num_subjects;
47723 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
47724 + name_set.n_size = arg->role_db.num_objects;
47725 + inodev_set.i_size = arg->role_db.num_objects;
47727 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
47728 + !name_set.n_size || !inodev_set.i_size)
47731 + if (!gr_init_uidset())
47734 + /* set up the stack that holds allocation info */
47736 + stacksize = arg->role_db.num_pointers + 5;
47738 + if (!acl_alloc_stack_init(stacksize))
47741 + /* grab reference for the real root dentry and vfsmount */
47742 + read_lock(&reaper->fs->lock);
47743 + real_root = dget(reaper->fs->root.dentry);
47744 + real_root_mnt = mntget(reaper->fs->root.mnt);
47745 + read_unlock(&reaper->fs->lock);
47747 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
47748 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
47751 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
47752 + if (fakefs_obj_rw == NULL)
47754 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
47756 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
47757 + if (fakefs_obj_rwx == NULL)
47759 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
47761 + subj_map_set.s_hash =
47762 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
47763 + acl_role_set.r_hash =
47764 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
47765 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
47766 + inodev_set.i_hash =
47767 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
47769 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
47770 + !name_set.n_hash || !inodev_set.i_hash)
47773 + memset(subj_map_set.s_hash, 0,
47774 + sizeof(struct subject_map *) * subj_map_set.s_size);
47775 + memset(acl_role_set.r_hash, 0,
47776 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
47777 + memset(name_set.n_hash, 0,
47778 + sizeof (struct name_entry *) * name_set.n_size);
47779 + memset(inodev_set.i_hash, 0,
47780 + sizeof (struct inodev_entry *) * inodev_set.i_size);
47785 +/* free information not needed after startup
47786 + currently contains user->kernel pointer mappings for subjects
47790 +free_init_variables(void)
47794 + if (subj_map_set.s_hash) {
47795 + for (i = 0; i < subj_map_set.s_size; i++) {
47796 + if (subj_map_set.s_hash[i]) {
47797 + kfree(subj_map_set.s_hash[i]);
47798 + subj_map_set.s_hash[i] = NULL;
47802 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
47804 + kfree(subj_map_set.s_hash);
47806 + vfree(subj_map_set.s_hash);
47813 +free_variables(void)
47815 + struct acl_subject_label *s;
47816 + struct acl_role_label *r;
47817 + struct task_struct *task, *task2;
47820 + gr_clear_learn_entries();
47822 + read_lock(&tasklist_lock);
47823 + do_each_thread(task2, task) {
47824 + task->acl_sp_role = 0;
47825 + task->acl_role_id = 0;
47826 + task->acl = NULL;
47827 + task->role = NULL;
47828 + } while_each_thread(task2, task);
47829 + read_unlock(&tasklist_lock);
47831 + /* release the reference to the real root dentry and vfsmount */
47834 + real_root = NULL;
47835 + if (real_root_mnt)
47836 + mntput(real_root_mnt);
47837 + real_root_mnt = NULL;
47839 + /* free all object hash tables */
47841 + FOR_EACH_ROLE_START(r)
47842 + if (r->subj_hash == NULL)
47844 + FOR_EACH_SUBJECT_START(r, s, x)
47845 + if (s->obj_hash == NULL)
47847 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
47848 + kfree(s->obj_hash);
47850 + vfree(s->obj_hash);
47851 + FOR_EACH_SUBJECT_END(s, x)
47852 + FOR_EACH_NESTED_SUBJECT_START(r, s)
47853 + if (s->obj_hash == NULL)
47855 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
47856 + kfree(s->obj_hash);
47858 + vfree(s->obj_hash);
47859 + FOR_EACH_NESTED_SUBJECT_END(s)
47860 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
47861 + kfree(r->subj_hash);
47863 + vfree(r->subj_hash);
47864 + r->subj_hash = NULL;
47866 + FOR_EACH_ROLE_END(r)
47870 + if (acl_role_set.r_hash) {
47871 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
47873 + kfree(acl_role_set.r_hash);
47875 + vfree(acl_role_set.r_hash);
47877 + if (name_set.n_hash) {
47878 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
47880 + kfree(name_set.n_hash);
47882 + vfree(name_set.n_hash);
47885 + if (inodev_set.i_hash) {
47886 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
47888 + kfree(inodev_set.i_hash);
47890 + vfree(inodev_set.i_hash);
47893 + gr_free_uidset();
47895 + memset(&name_set, 0, sizeof (struct name_db));
47896 + memset(&inodev_set, 0, sizeof (struct inodev_db));
47897 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
47898 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
47900 + default_role = NULL;
47901 + role_list = NULL;
47907 +count_user_objs(struct acl_object_label *userp)
47909 + struct acl_object_label o_tmp;
47913 + if (copy_from_user(&o_tmp, userp,
47914 + sizeof (struct acl_object_label)))
47917 + userp = o_tmp.prev;
47924 +static struct acl_subject_label *
47925 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
47928 +copy_user_glob(struct acl_object_label *obj)
47930 + struct acl_object_label *g_tmp, **guser;
47931 + unsigned int len;
47934 + if (obj->globbed == NULL)
47937 + guser = &obj->globbed;
47939 + g_tmp = (struct acl_object_label *)
47940 + acl_alloc(sizeof (struct acl_object_label));
47941 + if (g_tmp == NULL)
47944 + if (copy_from_user(g_tmp, *guser,
47945 + sizeof (struct acl_object_label)))
47948 + len = strnlen_user(g_tmp->filename, PATH_MAX);
47950 + if (!len || len >= PATH_MAX)
47953 + if ((tmp = (char *) acl_alloc(len)) == NULL)
47956 + if (copy_from_user(tmp, g_tmp->filename, len))
47958 + tmp[len-1] = '\0';
47959 + g_tmp->filename = tmp;
47962 + guser = &(g_tmp->next);
47969 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
47970 + struct acl_role_label *role)
47972 + struct acl_object_label *o_tmp;
47973 + unsigned int len;
47978 + if ((o_tmp = (struct acl_object_label *)
47979 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
47982 + if (copy_from_user(o_tmp, userp,
47983 + sizeof (struct acl_object_label)))
47986 + userp = o_tmp->prev;
47988 + len = strnlen_user(o_tmp->filename, PATH_MAX);
47990 + if (!len || len >= PATH_MAX)
47993 + if ((tmp = (char *) acl_alloc(len)) == NULL)
47996 + if (copy_from_user(tmp, o_tmp->filename, len))
47998 + tmp[len-1] = '\0';
47999 + o_tmp->filename = tmp;
48001 + insert_acl_obj_label(o_tmp, subj);
48002 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
48003 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
48006 + ret = copy_user_glob(o_tmp);
48010 + if (o_tmp->nested) {
48011 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
48012 + if (IS_ERR(o_tmp->nested))
48013 + return PTR_ERR(o_tmp->nested);
48015 + /* insert into nested subject list */
48016 + o_tmp->nested->next = role->hash->first;
48017 + role->hash->first = o_tmp->nested;
48025 +count_user_subjs(struct acl_subject_label *userp)
48027 + struct acl_subject_label s_tmp;
48031 + if (copy_from_user(&s_tmp, userp,
48032 + sizeof (struct acl_subject_label)))
48035 + userp = s_tmp.prev;
48036 + /* do not count nested subjects against this count, since
48037 + they are not included in the hash table, but are
48038 + attached to objects. We have already counted
48039 + the subjects in userspace for the allocation
48042 + if (!(s_tmp.mode & GR_NESTED))
48050 +copy_user_allowedips(struct acl_role_label *rolep)
48052 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
48054 + ruserip = rolep->allowed_ips;
48056 + while (ruserip) {
48059 + if ((rtmp = (struct role_allowed_ip *)
48060 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
48063 + if (copy_from_user(rtmp, ruserip,
48064 + sizeof (struct role_allowed_ip)))
48067 + ruserip = rtmp->prev;
48070 + rtmp->prev = NULL;
48071 + rolep->allowed_ips = rtmp;
48073 + rlast->next = rtmp;
48074 + rtmp->prev = rlast;
48078 + rtmp->next = NULL;
48085 +copy_user_transitions(struct acl_role_label *rolep)
48087 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
48089 + unsigned int len;
48092 + rusertp = rolep->transitions;
48094 + while (rusertp) {
48097 + if ((rtmp = (struct role_transition *)
48098 + acl_alloc(sizeof (struct role_transition))) == NULL)
48101 + if (copy_from_user(rtmp, rusertp,
48102 + sizeof (struct role_transition)))
48105 + rusertp = rtmp->prev;
48107 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
48109 + if (!len || len >= GR_SPROLE_LEN)
48112 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48115 + if (copy_from_user(tmp, rtmp->rolename, len))
48117 + tmp[len-1] = '\0';
48118 + rtmp->rolename = tmp;
48121 + rtmp->prev = NULL;
48122 + rolep->transitions = rtmp;
48124 + rlast->next = rtmp;
48125 + rtmp->prev = rlast;
48129 + rtmp->next = NULL;
48135 +static struct acl_subject_label *
48136 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
48138 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
48139 + unsigned int len;
48142 + struct acl_ip_label **i_tmp, *i_utmp2;
48143 + struct gr_hash_struct ghash;
48144 + struct subject_map *subjmap;
48145 + unsigned int i_num;
48148 + s_tmp = lookup_subject_map(userp);
48150 + /* we've already copied this subject into the kernel, just return
48151 + the reference to it, and don't copy it over again
48156 + if ((s_tmp = (struct acl_subject_label *)
48157 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
48158 + return ERR_PTR(-ENOMEM);
48160 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
48161 + if (subjmap == NULL)
48162 + return ERR_PTR(-ENOMEM);
48164 + subjmap->user = userp;
48165 + subjmap->kernel = s_tmp;
48166 + insert_subj_map_entry(subjmap);
48168 + if (copy_from_user(s_tmp, userp,
48169 + sizeof (struct acl_subject_label)))
48170 + return ERR_PTR(-EFAULT);
48172 + len = strnlen_user(s_tmp->filename, PATH_MAX);
48174 + if (!len || len >= PATH_MAX)
48175 + return ERR_PTR(-EINVAL);
48177 + if ((tmp = (char *) acl_alloc(len)) == NULL)
48178 + return ERR_PTR(-ENOMEM);
48180 + if (copy_from_user(tmp, s_tmp->filename, len))
48181 + return ERR_PTR(-EFAULT);
48182 + tmp[len-1] = '\0';
48183 + s_tmp->filename = tmp;
48185 + if (!strcmp(s_tmp->filename, "/"))
48186 + role->root_label = s_tmp;
48188 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
48189 + return ERR_PTR(-EFAULT);
48191 + /* copy user and group transition tables */
48193 + if (s_tmp->user_trans_num) {
48196 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
48197 + if (uidlist == NULL)
48198 + return ERR_PTR(-ENOMEM);
48199 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
48200 + return ERR_PTR(-EFAULT);
48202 + s_tmp->user_transitions = uidlist;
48205 + if (s_tmp->group_trans_num) {
48208 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
48209 + if (gidlist == NULL)
48210 + return ERR_PTR(-ENOMEM);
48211 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
48212 + return ERR_PTR(-EFAULT);
48214 + s_tmp->group_transitions = gidlist;
48217 + /* set up object hash table */
48218 + num_objs = count_user_objs(ghash.first);
48220 + s_tmp->obj_hash_size = num_objs;
48221 + s_tmp->obj_hash =
48222 + (struct acl_object_label **)
48223 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
48225 + if (!s_tmp->obj_hash)
48226 + return ERR_PTR(-ENOMEM);
48228 + memset(s_tmp->obj_hash, 0,
48229 + s_tmp->obj_hash_size *
48230 + sizeof (struct acl_object_label *));
48232 + /* add in objects */
48233 + err = copy_user_objs(ghash.first, s_tmp, role);
48236 + return ERR_PTR(err);
48238 + /* set pointer for parent subject */
48239 + if (s_tmp->parent_subject) {
48240 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
48242 + if (IS_ERR(s_tmp2))
48245 + s_tmp->parent_subject = s_tmp2;
48248 + /* add in ip acls */
48250 + if (!s_tmp->ip_num) {
48251 + s_tmp->ips = NULL;
48256 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
48257 + sizeof (struct acl_ip_label *));
48260 + return ERR_PTR(-ENOMEM);
48262 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
48263 + *(i_tmp + i_num) =
48264 + (struct acl_ip_label *)
48265 + acl_alloc(sizeof (struct acl_ip_label));
48266 + if (!*(i_tmp + i_num))
48267 + return ERR_PTR(-ENOMEM);
48269 + if (copy_from_user
48270 + (&i_utmp2, s_tmp->ips + i_num,
48271 + sizeof (struct acl_ip_label *)))
48272 + return ERR_PTR(-EFAULT);
48274 + if (copy_from_user
48275 + (*(i_tmp + i_num), i_utmp2,
48276 + sizeof (struct acl_ip_label)))
48277 + return ERR_PTR(-EFAULT);
48279 + if ((*(i_tmp + i_num))->iface == NULL)
48282 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
48283 + if (!len || len >= IFNAMSIZ)
48284 + return ERR_PTR(-EINVAL);
48285 + tmp = acl_alloc(len);
48287 + return ERR_PTR(-ENOMEM);
48288 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
48289 + return ERR_PTR(-EFAULT);
48290 + (*(i_tmp + i_num))->iface = tmp;
48293 + s_tmp->ips = i_tmp;
48296 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
48297 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
48298 + return ERR_PTR(-ENOMEM);
48304 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
48306 + struct acl_subject_label s_pre;
48307 + struct acl_subject_label * ret;
48311 + if (copy_from_user(&s_pre, userp,
48312 + sizeof (struct acl_subject_label)))
48315 + /* do not add nested subjects here, add
48316 + while parsing objects
48319 + if (s_pre.mode & GR_NESTED) {
48320 + userp = s_pre.prev;
48324 + ret = do_copy_user_subj(userp, role);
48326 + err = PTR_ERR(ret);
48330 + insert_acl_subj_label(ret, role);
48332 + userp = s_pre.prev;
48339 +copy_user_acl(struct gr_arg *arg)
48341 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
48342 + struct sprole_pw *sptmp;
48343 + struct gr_hash_struct *ghash;
48344 + uid_t *domainlist;
48345 + unsigned int r_num;
48346 + unsigned int len;
48352 + /* we need a default and kernel role */
48353 + if (arg->role_db.num_roles < 2)
48356 + /* copy special role authentication info from userspace */
48358 + num_sprole_pws = arg->num_sprole_pws;
48359 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
48361 + if (!acl_special_roles) {
48366 + for (i = 0; i < num_sprole_pws; i++) {
48367 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
48372 + if (copy_from_user(sptmp, arg->sprole_pws + i,
48373 + sizeof (struct sprole_pw))) {
48379 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
48381 + if (!len || len >= GR_SPROLE_LEN) {
48386 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48391 + if (copy_from_user(tmp, sptmp->rolename, len)) {
48395 + tmp[len-1] = '\0';
48396 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
48397 + printk(KERN_ALERT "Copying special role %s\n", tmp);
48399 + sptmp->rolename = tmp;
48400 + acl_special_roles[i] = sptmp;
48403 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
48405 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
48406 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
48413 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
48414 + sizeof (struct acl_role_label *))) {
48419 + if (copy_from_user(r_tmp, r_utmp2,
48420 + sizeof (struct acl_role_label))) {
48425 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
48427 + if (!len || len >= PATH_MAX) {
48432 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
48436 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
48440 + tmp[len-1] = '\0';
48441 + r_tmp->rolename = tmp;
48443 + if (!strcmp(r_tmp->rolename, "default")
48444 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
48445 + default_role = r_tmp;
48446 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
48447 + kernel_role = r_tmp;
48450 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
48454 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
48459 + r_tmp->hash = ghash;
48461 + num_subjs = count_user_subjs(r_tmp->hash->first);
48463 + r_tmp->subj_hash_size = num_subjs;
48464 + r_tmp->subj_hash =
48465 + (struct acl_subject_label **)
48466 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
48468 + if (!r_tmp->subj_hash) {
48473 + err = copy_user_allowedips(r_tmp);
48477 + /* copy domain info */
48478 + if (r_tmp->domain_children != NULL) {
48479 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
48480 + if (domainlist == NULL) {
48484 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
48488 + r_tmp->domain_children = domainlist;
48491 + err = copy_user_transitions(r_tmp);
48495 + memset(r_tmp->subj_hash, 0,
48496 + r_tmp->subj_hash_size *
48497 + sizeof (struct acl_subject_label *));
48499 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
48504 + /* set nested subject list to null */
48505 + r_tmp->hash->first = NULL;
48507 + insert_acl_role_label(r_tmp);
48512 + free_variables();
48519 +gracl_init(struct gr_arg *args)
48523 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
48524 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
48526 + if (init_variables(args)) {
48527 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
48529 + free_variables();
48533 + error = copy_user_acl(args);
48534 + free_init_variables();
48536 + free_variables();
48540 + if ((error = gr_set_acls(0))) {
48541 + free_variables();
48545 + pax_open_kernel();
48546 + gr_status |= GR_READY;
48547 + pax_close_kernel();
48553 +/* derived from glibc fnmatch() 0: match, 1: no match*/
48556 +glob_match(const char *p, const char *n)
48560 + while ((c = *p++) != '\0') {
48565 + else if (*n == '/')
48573 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
48576 + else if (c == '?') {
48586 + const char *endp;
48588 + if ((endp = strchr(n, '/')) == NULL)
48589 + endp = n + strlen(n);
48592 + for (--p; n < endp; ++n)
48593 + if (!glob_match(p, n))
48595 + } else if (c == '/') {
48596 + while (*n != '\0' && *n != '/')
48598 + if (*n == '/' && !glob_match(p, n + 1))
48601 + for (--p; n < endp; ++n)
48602 + if (*n == c && !glob_match(p, n))
48613 + if (*n == '\0' || *n == '/')
48616 + not = (*p == '!' || *p == '^');
48622 + unsigned char fn = (unsigned char)*n;
48632 + if (c == '-' && *p != ']') {
48633 + unsigned char cend = *p++;
48635 + if (cend == '\0')
48638 + if (cold <= fn && fn <= cend)
48652 + while (c != ']') {
48679 +static struct acl_object_label *
48680 +chk_glob_label(struct acl_object_label *globbed,
48681 + struct dentry *dentry, struct vfsmount *mnt, char **path)
48683 + struct acl_object_label *tmp;
48685 + if (*path == NULL)
48686 + *path = gr_to_filename_nolock(dentry, mnt);
48691 + if (!glob_match(tmp->filename, *path))
48699 +static struct acl_object_label *
48700 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
48701 + const ino_t curr_ino, const dev_t curr_dev,
48702 + const struct acl_subject_label *subj, char **path, const int checkglob)
48704 + struct acl_subject_label *tmpsubj;
48705 + struct acl_object_label *retval;
48706 + struct acl_object_label *retval2;
48708 + tmpsubj = (struct acl_subject_label *) subj;
48709 + read_lock(&gr_inode_lock);
48711 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
48713 + if (checkglob && retval->globbed) {
48714 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
48715 + (struct vfsmount *)orig_mnt, path);
48717 + retval = retval2;
48721 + } while ((tmpsubj = tmpsubj->parent_subject));
48722 + read_unlock(&gr_inode_lock);
48727 +static __inline__ struct acl_object_label *
48728 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
48729 + const struct dentry *curr_dentry,
48730 + const struct acl_subject_label *subj, char **path, const int checkglob)
48732 + int newglob = checkglob;
48734 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
48735 + as we don't want a / * rule to match instead of the / object
48736 + don't do this for create lookups that call this function though, since they're looking up
48737 + on the parent and thus need globbing checks on all paths
48739 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
48740 + newglob = GR_NO_GLOB;
48742 + return __full_lookup(orig_dentry, orig_mnt,
48743 + curr_dentry->d_inode->i_ino,
48744 + __get_dev(curr_dentry), subj, path, newglob);
48747 +static struct acl_object_label *
48748 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
48749 + const struct acl_subject_label *subj, char *path, const int checkglob)
48751 + struct dentry *dentry = (struct dentry *) l_dentry;
48752 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
48753 + struct acl_object_label *retval;
48755 + spin_lock(&dcache_lock);
48756 + spin_lock(&vfsmount_lock);
48758 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
48760 + mnt == sock_mnt ||
48762 +#ifdef CONFIG_HUGETLBFS
48763 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
48765 + /* ignore Eric Biederman */
48766 + IS_PRIVATE(l_dentry->d_inode))) {
48767 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
48772 + if (dentry == real_root && mnt == real_root_mnt)
48775 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
48776 + if (mnt->mnt_parent == mnt)
48779 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
48780 + if (retval != NULL)
48783 + dentry = mnt->mnt_mountpoint;
48784 + mnt = mnt->mnt_parent;
48788 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
48789 + if (retval != NULL)
48792 + dentry = dentry->d_parent;
48795 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
48797 + if (retval == NULL)
48798 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
48800 + spin_unlock(&vfsmount_lock);
48801 + spin_unlock(&dcache_lock);
48803 + BUG_ON(retval == NULL);
48808 +static __inline__ struct acl_object_label *
48809 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
48810 + const struct acl_subject_label *subj)
48812 + char *path = NULL;
48813 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
48816 +static __inline__ struct acl_object_label *
48817 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
48818 + const struct acl_subject_label *subj)
48820 + char *path = NULL;
48821 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
48824 +static __inline__ struct acl_object_label *
48825 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
48826 + const struct acl_subject_label *subj, char *path)
48828 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
48831 +static struct acl_subject_label *
48832 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
48833 + const struct acl_role_label *role)
48835 + struct dentry *dentry = (struct dentry *) l_dentry;
48836 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
48837 + struct acl_subject_label *retval;
48839 + spin_lock(&dcache_lock);
48840 + spin_lock(&vfsmount_lock);
48843 + if (dentry == real_root && mnt == real_root_mnt)
48845 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
48846 + if (mnt->mnt_parent == mnt)
48849 + read_lock(&gr_inode_lock);
48851 + lookup_acl_subj_label(dentry->d_inode->i_ino,
48852 + __get_dev(dentry), role);
48853 + read_unlock(&gr_inode_lock);
48854 + if (retval != NULL)
48857 + dentry = mnt->mnt_mountpoint;
48858 + mnt = mnt->mnt_parent;
48862 + read_lock(&gr_inode_lock);
48863 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
48864 + __get_dev(dentry), role);
48865 + read_unlock(&gr_inode_lock);
48866 + if (retval != NULL)
48869 + dentry = dentry->d_parent;
48872 + read_lock(&gr_inode_lock);
48873 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
48874 + __get_dev(dentry), role);
48875 + read_unlock(&gr_inode_lock);
48877 + if (unlikely(retval == NULL)) {
48878 + read_lock(&gr_inode_lock);
48879 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
48880 + __get_dev(real_root), role);
48881 + read_unlock(&gr_inode_lock);
48884 + spin_unlock(&vfsmount_lock);
48885 + spin_unlock(&dcache_lock);
48887 + BUG_ON(retval == NULL);
48893 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
48895 + struct task_struct *task = current;
48896 + const struct cred *cred = current_cred();
48898 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
48899 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
48900 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
48901 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
48907 +gr_log_learn_sysctl(const char *path, const __u32 mode)
48909 + struct task_struct *task = current;
48910 + const struct cred *cred = current_cred();
48912 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
48913 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
48914 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
48915 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
48921 +gr_log_learn_id_change(const char type, const unsigned int real,
48922 + const unsigned int effective, const unsigned int fs)
48924 + struct task_struct *task = current;
48925 + const struct cred *cred = current_cred();
48927 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
48928 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
48929 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
48930 + type, real, effective, fs, &task->signal->saved_ip);
48936 +gr_check_link(const struct dentry * new_dentry,
48937 + const struct dentry * parent_dentry,
48938 + const struct vfsmount * parent_mnt,
48939 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
48941 + struct acl_object_label *obj;
48942 + __u32 oldmode, newmode;
48945 + if (unlikely(!(gr_status & GR_READY)))
48946 + return (GR_CREATE | GR_LINK);
48948 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
48949 + oldmode = obj->mode;
48951 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
48952 + oldmode |= (GR_CREATE | GR_LINK);
48954 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
48955 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
48956 + needmode |= GR_SETID | GR_AUDIT_SETID;
48959 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
48960 + oldmode | needmode);
48962 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
48963 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
48964 + GR_INHERIT | GR_AUDIT_INHERIT);
48966 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
48969 + if ((oldmode & needmode) != needmode)
48972 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
48973 + if ((newmode & needmode) != needmode)
48976 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
48979 + needmode = oldmode;
48980 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
48981 + needmode |= GR_SETID;
48983 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
48984 + gr_log_learn(old_dentry, old_mnt, needmode);
48985 + return (GR_CREATE | GR_LINK);
48986 + } else if (newmode & GR_SUPPRESS)
48987 + return GR_SUPPRESS;
48993 +gr_search_file(const struct dentry * dentry, const __u32 mode,
48994 + const struct vfsmount * mnt)
48996 + __u32 retval = mode;
48997 + struct acl_subject_label *curracl;
48998 + struct acl_object_label *currobj;
49000 + if (unlikely(!(gr_status & GR_READY)))
49001 + return (mode & ~GR_AUDITS);
49003 + curracl = current->acl;
49005 + currobj = chk_obj_label(dentry, mnt, curracl);
49006 + retval = currobj->mode & mode;
49008 + /* if we're opening a specified transfer file for writing
49009 + (e.g. /dev/initctl), then transfer our role to init
49011 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
49012 + current->role->roletype & GR_ROLE_PERSIST)) {
49013 + struct task_struct *task = init_pid_ns.child_reaper;
49015 + if (task->role != current->role) {
49016 + task->acl_sp_role = 0;
49017 + task->acl_role_id = current->acl_role_id;
49018 + task->role = current->role;
49020 + read_lock(&grsec_exec_file_lock);
49021 + gr_apply_subject_to_task(task);
49022 + read_unlock(&grsec_exec_file_lock);
49023 + rcu_read_unlock();
49024 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
49029 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
49030 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
49031 + __u32 new_mode = mode;
49033 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49035 + retval = new_mode;
49037 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
49038 + new_mode |= GR_INHERIT;
49040 + if (!(mode & GR_NOLEARN))
49041 + gr_log_learn(dentry, mnt, new_mode);
49048 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
49049 + const struct vfsmount * mnt, const __u32 mode)
49051 + struct name_entry *match;
49052 + struct acl_object_label *matchpo;
49053 + struct acl_subject_label *curracl;
49057 + if (unlikely(!(gr_status & GR_READY)))
49058 + return (mode & ~GR_AUDITS);
49060 + preempt_disable();
49061 + path = gr_to_filename_rbac(new_dentry, mnt);
49062 + match = lookup_name_entry_create(path);
49065 + goto check_parent;
49067 + curracl = current->acl;
49069 + read_lock(&gr_inode_lock);
49070 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
49071 + read_unlock(&gr_inode_lock);
49074 + if ((matchpo->mode & mode) !=
49075 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
49076 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
49077 + __u32 new_mode = mode;
49079 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49081 + gr_log_learn(new_dentry, mnt, new_mode);
49083 + preempt_enable();
49086 + preempt_enable();
49087 + return (matchpo->mode & mode);
49091 + curracl = current->acl;
49093 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
49094 + retval = matchpo->mode & mode;
49096 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
49097 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
49098 + __u32 new_mode = mode;
49100 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
49102 + gr_log_learn(new_dentry, mnt, new_mode);
49103 + preempt_enable();
49107 + preempt_enable();
49112 +gr_check_hidden_task(const struct task_struct *task)
49114 + if (unlikely(!(gr_status & GR_READY)))
49117 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
49124 +gr_check_protected_task(const struct task_struct *task)
49126 + if (unlikely(!(gr_status & GR_READY) || !task))
49129 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49130 + task->acl != current->acl)
49137 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
49139 + struct task_struct *p;
49142 + if (unlikely(!(gr_status & GR_READY) || !pid))
49145 + read_lock(&tasklist_lock);
49146 + do_each_pid_task(pid, type, p) {
49147 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
49148 + p->acl != current->acl) {
49152 + } while_each_pid_task(pid, type, p);
49154 + read_unlock(&tasklist_lock);
49160 +gr_copy_label(struct task_struct *tsk)
49162 + tsk->signal->used_accept = 0;
49163 + tsk->acl_sp_role = 0;
49164 + tsk->acl_role_id = current->acl_role_id;
49165 + tsk->acl = current->acl;
49166 + tsk->role = current->role;
49167 + tsk->signal->curr_ip = current->signal->curr_ip;
49168 + tsk->signal->saved_ip = current->signal->saved_ip;
49169 + if (current->exec_file)
49170 + get_file(current->exec_file);
49171 + tsk->exec_file = current->exec_file;
49172 + tsk->is_writable = current->is_writable;
49173 + if (unlikely(current->signal->used_accept)) {
49174 + current->signal->curr_ip = 0;
49175 + current->signal->saved_ip = 0;
49182 +gr_set_proc_res(struct task_struct *task)
49184 + struct acl_subject_label *proc;
49185 + unsigned short i;
49187 + proc = task->acl;
49189 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
49192 + for (i = 0; i < RLIM_NLIMITS; i++) {
49193 + if (!(proc->resmask & (1 << i)))
49196 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
49197 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
49203 +extern int __gr_process_user_ban(struct user_struct *user);
49206 +gr_check_user_change(int real, int effective, int fs)
49213 + int effectiveok = 0;
49216 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
49217 + struct user_struct *user;
49222 + user = find_user(real);
49223 + if (user == NULL)
49226 + if (__gr_process_user_ban(user)) {
49227 + /* for find_user */
49232 + /* for find_user */
49238 + if (unlikely(!(gr_status & GR_READY)))
49241 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49242 + gr_log_learn_id_change('u', real, effective, fs);
49244 + num = current->acl->user_trans_num;
49245 + uidlist = current->acl->user_transitions;
49247 + if (uidlist == NULL)
49252 + if (effective == -1)
49257 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
49258 + for (i = 0; i < num; i++) {
49259 + curuid = (int)uidlist[i];
49260 + if (real == curuid)
49262 + if (effective == curuid)
49264 + if (fs == curuid)
49267 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
49268 + for (i = 0; i < num; i++) {
49269 + curuid = (int)uidlist[i];
49270 + if (real == curuid)
49272 + if (effective == curuid)
49274 + if (fs == curuid)
49277 + /* not in deny list */
49285 + if (realok && effectiveok && fsok)
49288 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49294 +gr_check_group_change(int real, int effective, int fs)
49301 + int effectiveok = 0;
49304 + if (unlikely(!(gr_status & GR_READY)))
49307 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
49308 + gr_log_learn_id_change('g', real, effective, fs);
49310 + num = current->acl->group_trans_num;
49311 + gidlist = current->acl->group_transitions;
49313 + if (gidlist == NULL)
49318 + if (effective == -1)
49323 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
49324 + for (i = 0; i < num; i++) {
49325 + curgid = (int)gidlist[i];
49326 + if (real == curgid)
49328 + if (effective == curgid)
49330 + if (fs == curgid)
49333 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
49334 + for (i = 0; i < num; i++) {
49335 + curgid = (int)gidlist[i];
49336 + if (real == curgid)
49338 + if (effective == curgid)
49340 + if (fs == curgid)
49343 + /* not in deny list */
49351 + if (realok && effectiveok && fsok)
49354 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
49360 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
49362 + struct acl_role_label *role = task->role;
49363 + struct acl_subject_label *subj = NULL;
49364 + struct acl_object_label *obj;
49365 + struct file *filp;
49367 + if (unlikely(!(gr_status & GR_READY)))
49370 + filp = task->exec_file;
49372 + /* kernel process, we'll give them the kernel role */
49373 + if (unlikely(!filp)) {
49374 + task->role = kernel_role;
49375 + task->acl = kernel_role->root_label;
49377 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
49378 + role = lookup_acl_role_label(task, uid, gid);
49380 + /* perform subject lookup in possibly new role
49381 + we can use this result below in the case where role == task->role
49383 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
49385 + /* if we changed uid/gid, but result in the same role
49386 + and are using inheritance, don't lose the inherited subject
49387 + if current subject is other than what normal lookup
49388 + would result in, we arrived via inheritance, don't
49391 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
49392 + (subj == task->acl)))
49393 + task->acl = subj;
49395 + task->role = role;
49397 + task->is_writable = 0;
49399 + /* ignore additional mmap checks for processes that are writable
49400 + by the default ACL */
49401 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
49402 + if (unlikely(obj->mode & GR_WRITE))
49403 + task->is_writable = 1;
49404 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
49405 + if (unlikely(obj->mode & GR_WRITE))
49406 + task->is_writable = 1;
49408 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49409 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49412 + gr_set_proc_res(task);
49418 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
49419 + const int unsafe_share)
49421 + struct task_struct *task = current;
49422 + struct acl_subject_label *newacl;
49423 + struct acl_object_label *obj;
49426 + if (unlikely(!(gr_status & GR_READY)))
49429 + newacl = chk_subj_label(dentry, mnt, task->role);
49432 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
49433 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
49434 + !(task->role->roletype & GR_ROLE_GOD) &&
49435 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
49436 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
49437 + task_unlock(task);
49438 + if (unsafe_share)
49439 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
49441 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
49444 + task_unlock(task);
49446 + obj = chk_obj_label(dentry, mnt, task->acl);
49447 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
49449 + if (!(task->acl->mode & GR_INHERITLEARN) &&
49450 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
49452 + task->acl = obj->nested;
49454 + task->acl = newacl;
49455 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
49456 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
49458 + task->is_writable = 0;
49460 + /* ignore additional mmap checks for processes that are writable
49461 + by the default ACL */
49462 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
49463 + if (unlikely(obj->mode & GR_WRITE))
49464 + task->is_writable = 1;
49465 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
49466 + if (unlikely(obj->mode & GR_WRITE))
49467 + task->is_writable = 1;
49469 + gr_set_proc_res(task);
49471 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49472 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
49477 +/* always called with valid inodev ptr */
49479 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
49481 + struct acl_object_label *matchpo;
49482 + struct acl_subject_label *matchps;
49483 + struct acl_subject_label *subj;
49484 + struct acl_role_label *role;
49487 + FOR_EACH_ROLE_START(role)
49488 + FOR_EACH_SUBJECT_START(role, subj, x)
49489 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
49490 + matchpo->mode |= GR_DELETED;
49491 + FOR_EACH_SUBJECT_END(subj,x)
49492 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
49493 + if (subj->inode == ino && subj->device == dev)
49494 + subj->mode |= GR_DELETED;
49495 + FOR_EACH_NESTED_SUBJECT_END(subj)
49496 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
49497 + matchps->mode |= GR_DELETED;
49498 + FOR_EACH_ROLE_END(role)
49500 + inodev->nentry->deleted = 1;
49506 +gr_handle_delete(const ino_t ino, const dev_t dev)
49508 + struct inodev_entry *inodev;
49510 + if (unlikely(!(gr_status & GR_READY)))
49513 + write_lock(&gr_inode_lock);
49514 + inodev = lookup_inodev_entry(ino, dev);
49515 + if (inodev != NULL)
49516 + do_handle_delete(inodev, ino, dev);
49517 + write_unlock(&gr_inode_lock);
49523 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
49524 + const ino_t newinode, const dev_t newdevice,
49525 + struct acl_subject_label *subj)
49527 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
49528 + struct acl_object_label *match;
49530 + match = subj->obj_hash[index];
49532 + while (match && (match->inode != oldinode ||
49533 + match->device != olddevice ||
49534 + !(match->mode & GR_DELETED)))
49535 + match = match->next;
49537 + if (match && (match->inode == oldinode)
49538 + && (match->device == olddevice)
49539 + && (match->mode & GR_DELETED)) {
49540 + if (match->prev == NULL) {
49541 + subj->obj_hash[index] = match->next;
49542 + if (match->next != NULL)
49543 + match->next->prev = NULL;
49545 + match->prev->next = match->next;
49546 + if (match->next != NULL)
49547 + match->next->prev = match->prev;
49549 + match->prev = NULL;
49550 + match->next = NULL;
49551 + match->inode = newinode;
49552 + match->device = newdevice;
49553 + match->mode &= ~GR_DELETED;
49555 + insert_acl_obj_label(match, subj);
49562 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
49563 + const ino_t newinode, const dev_t newdevice,
49564 + struct acl_role_label *role)
49566 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
49567 + struct acl_subject_label *match;
49569 + match = role->subj_hash[index];
49571 + while (match && (match->inode != oldinode ||
49572 + match->device != olddevice ||
49573 + !(match->mode & GR_DELETED)))
49574 + match = match->next;
49576 + if (match && (match->inode == oldinode)
49577 + && (match->device == olddevice)
49578 + && (match->mode & GR_DELETED)) {
49579 + if (match->prev == NULL) {
49580 + role->subj_hash[index] = match->next;
49581 + if (match->next != NULL)
49582 + match->next->prev = NULL;
49584 + match->prev->next = match->next;
49585 + if (match->next != NULL)
49586 + match->next->prev = match->prev;
49588 + match->prev = NULL;
49589 + match->next = NULL;
49590 + match->inode = newinode;
49591 + match->device = newdevice;
49592 + match->mode &= ~GR_DELETED;
49594 + insert_acl_subj_label(match, role);
49601 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
49602 + const ino_t newinode, const dev_t newdevice)
49604 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
49605 + struct inodev_entry *match;
49607 + match = inodev_set.i_hash[index];
49609 + while (match && (match->nentry->inode != oldinode ||
49610 + match->nentry->device != olddevice || !match->nentry->deleted))
49611 + match = match->next;
49613 + if (match && (match->nentry->inode == oldinode)
49614 + && (match->nentry->device == olddevice) &&
49615 + match->nentry->deleted) {
49616 + if (match->prev == NULL) {
49617 + inodev_set.i_hash[index] = match->next;
49618 + if (match->next != NULL)
49619 + match->next->prev = NULL;
49621 + match->prev->next = match->next;
49622 + if (match->next != NULL)
49623 + match->next->prev = match->prev;
49625 + match->prev = NULL;
49626 + match->next = NULL;
49627 + match->nentry->inode = newinode;
49628 + match->nentry->device = newdevice;
49629 + match->nentry->deleted = 0;
49631 + insert_inodev_entry(match);
49638 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
49639 + const struct vfsmount *mnt)
49641 + struct acl_subject_label *subj;
49642 + struct acl_role_label *role;
49644 + ino_t inode = dentry->d_inode->i_ino;
49645 + dev_t dev = __get_dev(dentry);
49647 + FOR_EACH_ROLE_START(role)
49648 + update_acl_subj_label(matchn->inode, matchn->device,
49649 + inode, dev, role);
49651 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
49652 + if ((subj->inode == inode) && (subj->device == dev)) {
49653 + subj->inode = inode;
49654 + subj->device = dev;
49656 + FOR_EACH_NESTED_SUBJECT_END(subj)
49657 + FOR_EACH_SUBJECT_START(role, subj, x)
49658 + update_acl_obj_label(matchn->inode, matchn->device,
49659 + inode, dev, subj);
49660 + FOR_EACH_SUBJECT_END(subj,x)
49661 + FOR_EACH_ROLE_END(role)
49663 + update_inodev_entry(matchn->inode, matchn->device, inode, dev);
49669 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
49671 + struct name_entry *matchn;
49673 + if (unlikely(!(gr_status & GR_READY)))
49676 + preempt_disable();
49677 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
49679 + if (unlikely((unsigned long)matchn)) {
49680 + write_lock(&gr_inode_lock);
49681 + do_handle_create(matchn, dentry, mnt);
49682 + write_unlock(&gr_inode_lock);
49684 + preempt_enable();
49690 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
49691 + struct dentry *old_dentry,
49692 + struct dentry *new_dentry,
49693 + struct vfsmount *mnt, const __u8 replace)
49695 + struct name_entry *matchn;
49696 + struct inodev_entry *inodev;
49697 + ino_t oldinode = old_dentry->d_inode->i_ino;
49698 + dev_t olddev = __get_dev(old_dentry);
49700 + /* vfs_rename swaps the name and parent link for old_dentry and
49702 + at this point, old_dentry has the new name, parent link, and inode
49703 + for the renamed file
49704 + if a file is being replaced by a rename, new_dentry has the inode
49705 + and name for the replaced file
49708 + if (unlikely(!(gr_status & GR_READY)))
49711 + preempt_disable();
49712 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
49714 + /* we wouldn't have to check d_inode if it weren't for
49715 + NFS silly-renaming
49718 + write_lock(&gr_inode_lock);
49719 + if (unlikely(replace && new_dentry->d_inode)) {
49720 + ino_t newinode = new_dentry->d_inode->i_ino;
49721 + dev_t newdev = __get_dev(new_dentry);
49722 + inodev = lookup_inodev_entry(newinode, newdev);
49723 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
49724 + do_handle_delete(inodev, newinode, newdev);
49727 + inodev = lookup_inodev_entry(oldinode, olddev);
49728 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
49729 + do_handle_delete(inodev, oldinode, olddev);
49731 + if (unlikely((unsigned long)matchn))
49732 + do_handle_create(matchn, old_dentry, mnt);
49734 + write_unlock(&gr_inode_lock);
49735 + preempt_enable();
49741 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
49742 + unsigned char **sum)
49744 + struct acl_role_label *r;
49745 + struct role_allowed_ip *ipp;
49746 + struct role_transition *trans;
49749 + u32 curr_ip = current->signal->curr_ip;
49751 + current->signal->saved_ip = curr_ip;
49753 + /* check transition table */
49755 + for (trans = current->role->transitions; trans; trans = trans->next) {
49756 + if (!strcmp(rolename, trans->rolename)) {
49765 + /* handle special roles that do not require authentication
49768 + FOR_EACH_ROLE_START(r)
49769 + if (!strcmp(rolename, r->rolename) &&
49770 + (r->roletype & GR_ROLE_SPECIAL)) {
49772 + if (r->allowed_ips != NULL) {
49773 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
49774 + if ((ntohl(curr_ip) & ipp->netmask) ==
49775 + (ntohl(ipp->addr) & ipp->netmask))
49783 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
49784 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
49790 + FOR_EACH_ROLE_END(r)
49792 + for (i = 0; i < num_sprole_pws; i++) {
49793 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
49794 + *salt = acl_special_roles[i]->salt;
49795 + *sum = acl_special_roles[i]->sum;
49804 +assign_special_role(char *rolename)
49806 + struct acl_object_label *obj;
49807 + struct acl_role_label *r;
49808 + struct acl_role_label *assigned = NULL;
49809 + struct task_struct *tsk;
49810 + struct file *filp;
49812 + FOR_EACH_ROLE_START(r)
49813 + if (!strcmp(rolename, r->rolename) &&
49814 + (r->roletype & GR_ROLE_SPECIAL)) {
49818 + FOR_EACH_ROLE_END(r)
49823 + read_lock(&tasklist_lock);
49824 + read_lock(&grsec_exec_file_lock);
49826 + tsk = current->real_parent;
49830 + filp = tsk->exec_file;
49831 + if (filp == NULL)
49834 + tsk->is_writable = 0;
49836 + tsk->acl_sp_role = 1;
49837 + tsk->acl_role_id = ++acl_sp_role_value;
49838 + tsk->role = assigned;
49839 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
49841 + /* ignore additional mmap checks for processes that are writable
49842 + by the default ACL */
49843 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
49844 + if (unlikely(obj->mode & GR_WRITE))
49845 + tsk->is_writable = 1;
49846 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
49847 + if (unlikely(obj->mode & GR_WRITE))
49848 + tsk->is_writable = 1;
49850 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
49851 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
49855 + read_unlock(&grsec_exec_file_lock);
49856 + read_unlock(&tasklist_lock);
49860 +int gr_check_secure_terminal(struct task_struct *task)
49862 + struct task_struct *p, *p2, *p3;
49863 + struct files_struct *files;
49864 + struct fdtable *fdt;
49865 + struct file *our_file = NULL, *file;
49868 + if (task->signal->tty == NULL)
49871 + files = get_files_struct(task);
49872 + if (files != NULL) {
49874 + fdt = files_fdtable(files);
49875 + for (i=0; i < fdt->max_fds; i++) {
49876 + file = fcheck_files(files, i);
49877 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
49882 + rcu_read_unlock();
49883 + put_files_struct(files);
49886 + if (our_file == NULL)
49889 + read_lock(&tasklist_lock);
49890 + do_each_thread(p2, p) {
49891 + files = get_files_struct(p);
49892 + if (files == NULL ||
49893 + (p->signal && p->signal->tty == task->signal->tty)) {
49894 + if (files != NULL)
49895 + put_files_struct(files);
49899 + fdt = files_fdtable(files);
49900 + for (i=0; i < fdt->max_fds; i++) {
49901 + file = fcheck_files(files, i);
49902 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
49903 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
49905 + while (p3->pid > 0) {
49908 + p3 = p3->real_parent;
49912 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
49913 + gr_handle_alertkill(p);
49914 + rcu_read_unlock();
49915 + put_files_struct(files);
49916 + read_unlock(&tasklist_lock);
49921 + rcu_read_unlock();
49922 + put_files_struct(files);
49923 + } while_each_thread(p2, p);
49924 + read_unlock(&tasklist_lock);
49931 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
49933 + struct gr_arg_wrapper uwrap;
49934 + unsigned char *sprole_salt = NULL;
49935 + unsigned char *sprole_sum = NULL;
49936 + int error = sizeof (struct gr_arg_wrapper);
49939 + mutex_lock(&gr_dev_mutex);
49941 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
49946 + if (count != sizeof (struct gr_arg_wrapper)) {
49947 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
49953 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
49954 + gr_auth_expires = 0;
49955 + gr_auth_attempts = 0;
49958 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
49963 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
49968 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
49973 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
49974 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
49975 + time_after(gr_auth_expires, get_seconds())) {
49980 + /* if non-root trying to do anything other than use a special role,
49981 + do not attempt authentication, do not count towards authentication
49985 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
49986 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
49992 + /* ensure pw and special role name are null terminated */
49994 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
49995 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
49998 + * We have our enough of the argument structure..(we have yet
49999 + * to copy_from_user the tables themselves) . Copy the tables
50000 + * only if we need them, i.e. for loading operations. */
50002 + switch (gr_usermode->mode) {
50004 + if (gr_status & GR_READY) {
50006 + if (!gr_check_secure_terminal(current))
50011 + case GR_SHUTDOWN:
50012 + if ((gr_status & GR_READY)
50013 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50014 + pax_open_kernel();
50015 + gr_status &= ~GR_READY;
50016 + pax_close_kernel();
50018 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
50019 + free_variables();
50020 + memset(gr_usermode, 0, sizeof (struct gr_arg));
50021 + memset(gr_system_salt, 0, GR_SALT_LEN);
50022 + memset(gr_system_sum, 0, GR_SHA_LEN);
50023 + } else if (gr_status & GR_READY) {
50024 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
50027 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
50032 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
50033 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
50035 + if (gr_status & GR_READY)
50039 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
50043 + if (!(gr_status & GR_READY)) {
50044 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
50046 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50049 + pax_open_kernel();
50050 + gr_status &= ~GR_READY;
50051 + pax_close_kernel();
50053 + free_variables();
50054 + if (!(error2 = gracl_init(gr_usermode))) {
50056 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
50060 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50063 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
50068 + if (unlikely(!(gr_status & GR_READY))) {
50069 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
50074 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
50075 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
50076 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
50077 + struct acl_subject_label *segvacl;
50079 + lookup_acl_subj_label(gr_usermode->segv_inode,
50080 + gr_usermode->segv_device,
50083 + segvacl->crashes = 0;
50084 + segvacl->expires = 0;
50086 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
50087 + gr_remove_uid(gr_usermode->segv_uid);
50090 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
50095 + case GR_SPROLEPAM:
50096 + if (unlikely(!(gr_status & GR_READY))) {
50097 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
50102 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
50103 + current->role->expires = 0;
50104 + current->role->auth_attempts = 0;
50107 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
50108 + time_after(current->role->expires, get_seconds())) {
50113 + if (lookup_special_role_auth
50114 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
50115 + && ((!sprole_salt && !sprole_sum)
50116 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
50118 + assign_special_role(gr_usermode->sp_role);
50119 + read_lock(&tasklist_lock);
50120 + if (current->real_parent)
50121 + p = current->real_parent->role->rolename;
50122 + read_unlock(&tasklist_lock);
50123 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
50124 + p, acl_sp_role_value);
50126 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
50128 + if(!(current->role->auth_attempts++))
50129 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50134 + case GR_UNSPROLE:
50135 + if (unlikely(!(gr_status & GR_READY))) {
50136 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
50141 + if (current->role->roletype & GR_ROLE_SPECIAL) {
50145 + read_lock(&tasklist_lock);
50146 + if (current->real_parent) {
50147 + p = current->real_parent->role->rolename;
50148 + i = current->real_parent->acl_role_id;
50150 + read_unlock(&tasklist_lock);
50152 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
50160 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
50165 + if (error != -EPERM)
50168 + if(!(gr_auth_attempts++))
50169 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
50172 + mutex_unlock(&gr_dev_mutex);
50176 +/* must be called with
50178 + read_lock(&tasklist_lock);
50179 + read_lock(&grsec_exec_file_lock);
50181 +int gr_apply_subject_to_task(struct task_struct *task)
50183 + struct acl_object_label *obj;
50185 + struct acl_subject_label *tmpsubj;
50186 + struct file *filp;
50187 + struct name_entry *nmatch;
50189 + filp = task->exec_file;
50190 + if (filp == NULL)
50193 + /* the following is to apply the correct subject
50194 + on binaries running when the RBAC system
50195 + is enabled, when the binaries have been
50196 + replaced or deleted since their execution
50198 + when the RBAC system starts, the inode/dev
50199 + from exec_file will be one the RBAC system
50200 + is unaware of. It only knows the inode/dev
50201 + of the present file on disk, or the absence
50204 + preempt_disable();
50205 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
50207 + nmatch = lookup_name_entry(tmpname);
50208 + preempt_enable();
50211 + if (nmatch->deleted)
50212 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
50214 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
50215 + if (tmpsubj != NULL)
50216 + task->acl = tmpsubj;
50218 + if (tmpsubj == NULL)
50219 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
50222 + task->is_writable = 0;
50223 + /* ignore additional mmap checks for processes that are writable
50224 + by the default ACL */
50225 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50226 + if (unlikely(obj->mode & GR_WRITE))
50227 + task->is_writable = 1;
50228 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
50229 + if (unlikely(obj->mode & GR_WRITE))
50230 + task->is_writable = 1;
50232 + gr_set_proc_res(task);
50234 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50235 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
50245 +gr_set_acls(const int type)
50247 + struct task_struct *task, *task2;
50248 + struct acl_role_label *role = current->role;
50249 + __u16 acl_role_id = current->acl_role_id;
50250 + const struct cred *cred;
50254 + read_lock(&tasklist_lock);
50255 + read_lock(&grsec_exec_file_lock);
50256 + do_each_thread(task2, task) {
50257 + /* check to see if we're called from the exit handler,
50258 + if so, only replace ACLs that have inherited the admin
50261 + if (type && (task->role != role ||
50262 + task->acl_role_id != acl_role_id))
50265 + task->acl_role_id = 0;
50266 + task->acl_sp_role = 0;
50268 + if (task->exec_file) {
50269 + cred = __task_cred(task);
50270 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
50272 + ret = gr_apply_subject_to_task(task);
50274 + read_unlock(&grsec_exec_file_lock);
50275 + read_unlock(&tasklist_lock);
50276 + rcu_read_unlock();
50277 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
50281 + // it's a kernel process
50282 + task->role = kernel_role;
50283 + task->acl = kernel_role->root_label;
50284 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
50285 + task->acl->mode &= ~GR_PROCFIND;
50288 + } while_each_thread(task2, task);
50289 + read_unlock(&grsec_exec_file_lock);
50290 + read_unlock(&tasklist_lock);
50291 + rcu_read_unlock();
50297 +gr_learn_resource(const struct task_struct *task,
50298 + const int res, const unsigned long wanted, const int gt)
50300 + struct acl_subject_label *acl;
50301 + const struct cred *cred;
50303 + if (unlikely((gr_status & GR_READY) &&
50304 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
50305 + goto skip_reslog;
50307 +#ifdef CONFIG_GRKERNSEC_RESLOG
50308 + gr_log_resource(task, res, wanted, gt);
50312 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
50317 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
50318 + !(acl->resmask & (1 << (unsigned short) res))))
50321 + if (wanted >= acl->res[res].rlim_cur) {
50322 + unsigned long res_add;
50324 + res_add = wanted;
50327 + res_add += GR_RLIM_CPU_BUMP;
50329 + case RLIMIT_FSIZE:
50330 + res_add += GR_RLIM_FSIZE_BUMP;
50332 + case RLIMIT_DATA:
50333 + res_add += GR_RLIM_DATA_BUMP;
50335 + case RLIMIT_STACK:
50336 + res_add += GR_RLIM_STACK_BUMP;
50338 + case RLIMIT_CORE:
50339 + res_add += GR_RLIM_CORE_BUMP;
50342 + res_add += GR_RLIM_RSS_BUMP;
50344 + case RLIMIT_NPROC:
50345 + res_add += GR_RLIM_NPROC_BUMP;
50347 + case RLIMIT_NOFILE:
50348 + res_add += GR_RLIM_NOFILE_BUMP;
50350 + case RLIMIT_MEMLOCK:
50351 + res_add += GR_RLIM_MEMLOCK_BUMP;
50354 + res_add += GR_RLIM_AS_BUMP;
50356 + case RLIMIT_LOCKS:
50357 + res_add += GR_RLIM_LOCKS_BUMP;
50359 + case RLIMIT_SIGPENDING:
50360 + res_add += GR_RLIM_SIGPENDING_BUMP;
50362 + case RLIMIT_MSGQUEUE:
50363 + res_add += GR_RLIM_MSGQUEUE_BUMP;
50365 + case RLIMIT_NICE:
50366 + res_add += GR_RLIM_NICE_BUMP;
50368 + case RLIMIT_RTPRIO:
50369 + res_add += GR_RLIM_RTPRIO_BUMP;
50371 + case RLIMIT_RTTIME:
50372 + res_add += GR_RLIM_RTTIME_BUMP;
50376 + acl->res[res].rlim_cur = res_add;
50378 + if (wanted > acl->res[res].rlim_max)
50379 + acl->res[res].rlim_max = res_add;
50381 + /* only log the subject filename, since resource logging is supported for
50382 + single-subject learning only */
50384 + cred = __task_cred(task);
50385 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
50386 + task->role->roletype, cred->uid, cred->gid, acl->filename,
50387 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
50388 + "", (unsigned long) res, &task->signal->saved_ip);
50389 + rcu_read_unlock();
50395 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
50397 +pax_set_initial_flags(struct linux_binprm *bprm)
50399 + struct task_struct *task = current;
50400 + struct acl_subject_label *proc;
50401 + unsigned long flags;
50403 + if (unlikely(!(gr_status & GR_READY)))
50406 + flags = pax_get_flags(task);
50408 + proc = task->acl;
50410 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
50411 + flags &= ~MF_PAX_PAGEEXEC;
50412 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
50413 + flags &= ~MF_PAX_SEGMEXEC;
50414 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
50415 + flags &= ~MF_PAX_RANDMMAP;
50416 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
50417 + flags &= ~MF_PAX_EMUTRAMP;
50418 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
50419 + flags &= ~MF_PAX_MPROTECT;
50421 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
50422 + flags |= MF_PAX_PAGEEXEC;
50423 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
50424 + flags |= MF_PAX_SEGMEXEC;
50425 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
50426 + flags |= MF_PAX_RANDMMAP;
50427 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
50428 + flags |= MF_PAX_EMUTRAMP;
50429 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
50430 + flags |= MF_PAX_MPROTECT;
50432 + pax_set_flags(task, flags);
50438 +#ifdef CONFIG_SYSCTL
50439 +/* Eric Biederman likes breaking userland ABI and every inode-based security
50440 + system to save 35kb of memory */
50442 +/* we modify the passed in filename, but adjust it back before returning */
50443 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
50445 + struct name_entry *nmatch;
50446 + char *p, *lastp = NULL;
50447 + struct acl_object_label *obj = NULL, *tmp;
50448 + struct acl_subject_label *tmpsubj;
50451 + read_lock(&gr_inode_lock);
50453 + p = name + len - 1;
50455 + nmatch = lookup_name_entry(name);
50456 + if (lastp != NULL)
50459 + if (nmatch == NULL)
50460 + goto next_component;
50461 + tmpsubj = current->acl;
50463 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
50464 + if (obj != NULL) {
50465 + tmp = obj->globbed;
50467 + if (!glob_match(tmp->filename, name)) {
50475 + } while ((tmpsubj = tmpsubj->parent_subject));
50481 + while (*p != '/')
50493 + read_unlock(&gr_inode_lock);
50494 + /* obj returned will always be non-null */
50498 +/* returns 0 when allowing, non-zero on error
50499 + op of 0 is used for readdir, so we don't log the names of hidden files
50502 +gr_handle_sysctl(const struct ctl_table *table, const int op)
50505 + const char *proc_sys = "/proc/sys";
50507 + struct acl_object_label *obj;
50508 + unsigned short len = 0, pos = 0, depth = 0, i;
50512 + if (unlikely(!(gr_status & GR_READY)))
50515 + /* for now, ignore operations on non-sysctl entries if it's not a
50517 + if (table->child != NULL && op != 0)
50521 + /* it's only a read if it's an entry, read on dirs is for readdir */
50522 + if (op & MAY_READ)
50524 + if (op & MAY_WRITE)
50525 + mode |= GR_WRITE;
50527 + preempt_disable();
50529 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
50531 + /* it's only a read/write if it's an actual entry, not a dir
50532 + (which are opened for readdir)
50535 + /* convert the requested sysctl entry into a pathname */
50537 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
50538 + len += strlen(tmp->procname);
50543 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
50548 + memset(path, 0, PAGE_SIZE);
50550 + memcpy(path, proc_sys, strlen(proc_sys));
50552 + pos += strlen(proc_sys);
50554 + for (; depth > 0; depth--) {
50557 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
50558 + if (depth == i) {
50559 + memcpy(path + pos, tmp->procname,
50560 + strlen(tmp->procname));
50561 + pos += strlen(tmp->procname);
50567 + obj = gr_lookup_by_name(path, pos);
50568 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
50570 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
50571 + ((err & mode) != mode))) {
50572 + __u32 new_mode = mode;
50574 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
50577 + gr_log_learn_sysctl(path, new_mode);
50578 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
50579 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
50581 + } else if (!(err & GR_FIND)) {
50583 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
50584 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
50585 + path, (mode & GR_READ) ? " reading" : "",
50586 + (mode & GR_WRITE) ? " writing" : "");
50588 + } else if ((err & mode) != mode) {
50590 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
50591 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
50592 + path, (mode & GR_READ) ? " reading" : "",
50593 + (mode & GR_WRITE) ? " writing" : "");
50599 + preempt_enable();
50606 +gr_handle_proc_ptrace(struct task_struct *task)
50608 + struct file *filp;
50609 + struct task_struct *tmp = task;
50610 + struct task_struct *curtemp = current;
50613 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
50614 + if (unlikely(!(gr_status & GR_READY)))
50618 + read_lock(&tasklist_lock);
50619 + read_lock(&grsec_exec_file_lock);
50620 + filp = task->exec_file;
50622 + while (tmp->pid > 0) {
50623 + if (tmp == curtemp)
50625 + tmp = tmp->real_parent;
50628 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
50629 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
50630 + read_unlock(&grsec_exec_file_lock);
50631 + read_unlock(&tasklist_lock);
50635 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
50636 + if (!(gr_status & GR_READY)) {
50637 + read_unlock(&grsec_exec_file_lock);
50638 + read_unlock(&tasklist_lock);
50643 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
50644 + read_unlock(&grsec_exec_file_lock);
50645 + read_unlock(&tasklist_lock);
50647 + if (retmode & GR_NOPTRACE)
50650 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
50651 + && (current->acl != task->acl || (current->acl != current->role->root_label
50652 + && current->pid != task->pid)))
50658 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
50660 + if (unlikely(!(gr_status & GR_READY)))
50663 + if (!(current->role->roletype & GR_ROLE_GOD))
50666 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
50667 + p->role->rolename, gr_task_roletype_to_char(p),
50668 + p->acl->filename);
50672 +gr_handle_ptrace(struct task_struct *task, const long request)
50674 + struct task_struct *tmp = task;
50675 + struct task_struct *curtemp = current;
50678 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
50679 + if (unlikely(!(gr_status & GR_READY)))
50683 + read_lock(&tasklist_lock);
50684 + while (tmp->pid > 0) {
50685 + if (tmp == curtemp)
50687 + tmp = tmp->real_parent;
50690 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
50691 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
50692 + read_unlock(&tasklist_lock);
50693 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
50696 + read_unlock(&tasklist_lock);
50698 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
50699 + if (!(gr_status & GR_READY))
50703 + read_lock(&grsec_exec_file_lock);
50704 + if (unlikely(!task->exec_file)) {
50705 + read_unlock(&grsec_exec_file_lock);
50709 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
50710 + read_unlock(&grsec_exec_file_lock);
50712 + if (retmode & GR_NOPTRACE) {
50713 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
50717 + if (retmode & GR_PTRACERD) {
50718 + switch (request) {
50719 + case PTRACE_POKETEXT:
50720 + case PTRACE_POKEDATA:
50721 + case PTRACE_POKEUSR:
50722 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
50723 + case PTRACE_SETREGS:
50724 + case PTRACE_SETFPREGS:
50727 + case PTRACE_SETFPXREGS:
50729 +#ifdef CONFIG_ALTIVEC
50730 + case PTRACE_SETVRREGS:
50736 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
50737 + !(current->role->roletype & GR_ROLE_GOD) &&
50738 + (current->acl != task->acl)) {
50739 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
50746 +static int is_writable_mmap(const struct file *filp)
50748 + struct task_struct *task = current;
50749 + struct acl_object_label *obj, *obj2;
50751 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
50752 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
50753 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
50754 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
50755 + task->role->root_label);
50756 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
50757 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
50765 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
50769 + if (unlikely(!file || !(prot & PROT_EXEC)))
50772 + if (is_writable_mmap(file))
50776 + gr_search_file(file->f_path.dentry,
50777 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
50778 + file->f_path.mnt);
50780 + if (!gr_tpe_allow(file))
50783 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
50784 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
50786 + } else if (unlikely(!(mode & GR_EXEC))) {
50788 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
50789 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
50797 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
50801 + if (unlikely(!file || !(prot & PROT_EXEC)))
50804 + if (is_writable_mmap(file))
50808 + gr_search_file(file->f_path.dentry,
50809 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
50810 + file->f_path.mnt);
50812 + if (!gr_tpe_allow(file))
50815 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
50816 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
50818 + } else if (unlikely(!(mode & GR_EXEC))) {
50820 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
50821 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
50829 +gr_acl_handle_psacct(struct task_struct *task, const long code)
50831 + unsigned long runtime;
50832 + unsigned long cputime;
50833 + unsigned int wday, cday;
50837 + struct timespec timeval;
50839 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
50840 + !(task->acl->mode & GR_PROCACCT)))
50843 + do_posix_clock_monotonic_gettime(&timeval);
50844 + runtime = timeval.tv_sec - task->start_time.tv_sec;
50845 + wday = runtime / (3600 * 24);
50846 + runtime -= wday * (3600 * 24);
50847 + whr = runtime / 3600;
50848 + runtime -= whr * 3600;
50849 + wmin = runtime / 60;
50850 + runtime -= wmin * 60;
50853 + cputime = (task->utime + task->stime) / HZ;
50854 + cday = cputime / (3600 * 24);
50855 + cputime -= cday * (3600 * 24);
50856 + chr = cputime / 3600;
50857 + cputime -= chr * 3600;
50858 + cmin = cputime / 60;
50859 + cputime -= cmin * 60;
50862 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
50867 +void gr_set_kernel_label(struct task_struct *task)
50869 + if (gr_status & GR_READY) {
50870 + task->role = kernel_role;
50871 + task->acl = kernel_role->root_label;
50876 +#ifdef CONFIG_TASKSTATS
50877 +int gr_is_taskstats_denied(int pid)
50879 + struct task_struct *task;
50880 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50881 + const struct cred *cred;
50885 + /* restrict taskstats viewing to un-chrooted root users
50886 + who have the 'view' subject flag if the RBAC system is enabled
50890 + read_lock(&tasklist_lock);
50891 + task = find_task_by_vpid(pid);
50893 +#ifdef CONFIG_GRKERNSEC_CHROOT
50894 + if (proc_is_chrooted(task))
50897 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50898 + cred = __task_cred(task);
50899 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50900 + if (cred->uid != 0)
50902 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50903 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
50907 + if (gr_status & GR_READY) {
50908 + if (!(task->acl->mode & GR_VIEW))
50914 + read_unlock(&tasklist_lock);
50915 + rcu_read_unlock();
50921 +/* AUXV entries are filled via a descendant of search_binary_handler
50922 + after we've already applied the subject for the target
50924 +int gr_acl_enable_at_secure(void)
50926 + if (unlikely(!(gr_status & GR_READY)))
50929 + if (current->acl->mode & GR_ATSECURE)
50935 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
50937 + struct task_struct *task = current;
50938 + struct dentry *dentry = file->f_path.dentry;
50939 + struct vfsmount *mnt = file->f_path.mnt;
50940 + struct acl_object_label *obj, *tmp;
50941 + struct acl_subject_label *subj;
50942 + unsigned int bufsize;
50945 + dev_t dev = __get_dev(dentry);
50947 + if (unlikely(!(gr_status & GR_READY)))
50950 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
50953 + /* ignore Eric Biederman */
50954 + if (IS_PRIVATE(dentry->d_inode))
50957 + subj = task->acl;
50959 + obj = lookup_acl_obj_label(ino, dev, subj);
50961 + return (obj->mode & GR_FIND) ? 1 : 0;
50962 + } while ((subj = subj->parent_subject));
50964 + /* this is purely an optimization since we're looking for an object
50965 + for the directory we're doing a readdir on
50966 + if it's possible for any globbed object to match the entry we're
50967 + filling into the directory, then the object we find here will be
50968 + an anchor point with attached globbed objects
50970 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
50971 + if (obj->globbed == NULL)
50972 + return (obj->mode & GR_FIND) ? 1 : 0;
50974 + is_not_root = ((obj->filename[0] == '/') &&
50975 + (obj->filename[1] == '\0')) ? 0 : 1;
50976 + bufsize = PAGE_SIZE - namelen - is_not_root;
50978 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
50979 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
50982 + preempt_disable();
50983 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
50986 + bufsize = strlen(path);
50988 + /* if base is "/", don't append an additional slash */
50990 + *(path + bufsize) = '/';
50991 + memcpy(path + bufsize + is_not_root, name, namelen);
50992 + *(path + bufsize + namelen + is_not_root) = '\0';
50994 + tmp = obj->globbed;
50996 + if (!glob_match(tmp->filename, path)) {
50997 + preempt_enable();
50998 + return (tmp->mode & GR_FIND) ? 1 : 0;
51002 + preempt_enable();
51003 + return (obj->mode & GR_FIND) ? 1 : 0;
51006 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
51007 +EXPORT_SYMBOL(gr_acl_is_enabled);
51009 +EXPORT_SYMBOL(gr_learn_resource);
51010 +EXPORT_SYMBOL(gr_set_kernel_label);
51011 +#ifdef CONFIG_SECURITY
51012 +EXPORT_SYMBOL(gr_check_user_change);
51013 +EXPORT_SYMBOL(gr_check_group_change);
51016 diff -urNp linux-2.6.32.43/grsecurity/gracl_cap.c linux-2.6.32.43/grsecurity/gracl_cap.c
51017 --- linux-2.6.32.43/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
51018 +++ linux-2.6.32.43/grsecurity/gracl_cap.c 2011-04-17 15:56:46.000000000 -0400
51020 +#include <linux/kernel.h>
51021 +#include <linux/module.h>
51022 +#include <linux/sched.h>
51023 +#include <linux/gracl.h>
51024 +#include <linux/grsecurity.h>
51025 +#include <linux/grinternal.h>
51027 +static const char *captab_log[] = {
51029 + "CAP_DAC_OVERRIDE",
51030 + "CAP_DAC_READ_SEARCH",
51037 + "CAP_LINUX_IMMUTABLE",
51038 + "CAP_NET_BIND_SERVICE",
51039 + "CAP_NET_BROADCAST",
51044 + "CAP_SYS_MODULE",
51046 + "CAP_SYS_CHROOT",
51047 + "CAP_SYS_PTRACE",
51052 + "CAP_SYS_RESOURCE",
51054 + "CAP_SYS_TTY_CONFIG",
51057 + "CAP_AUDIT_WRITE",
51058 + "CAP_AUDIT_CONTROL",
51060 + "CAP_MAC_OVERRIDE",
51064 +EXPORT_SYMBOL(gr_is_capable);
51065 +EXPORT_SYMBOL(gr_is_capable_nolog);
51068 +gr_is_capable(const int cap)
51070 + struct task_struct *task = current;
51071 + const struct cred *cred = current_cred();
51072 + struct acl_subject_label *curracl;
51073 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51074 + kernel_cap_t cap_audit = __cap_empty_set;
51076 + if (!gr_acl_is_enabled())
51079 + curracl = task->acl;
51081 + cap_drop = curracl->cap_lower;
51082 + cap_mask = curracl->cap_mask;
51083 + cap_audit = curracl->cap_invert_audit;
51085 + while ((curracl = curracl->parent_subject)) {
51086 + /* if the cap isn't specified in the current computed mask but is specified in the
51087 + current level subject, and is lowered in the current level subject, then add
51088 + it to the set of dropped capabilities
51089 + otherwise, add the current level subject's mask to the current computed mask
51091 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51092 + cap_raise(cap_mask, cap);
51093 + if (cap_raised(curracl->cap_lower, cap))
51094 + cap_raise(cap_drop, cap);
51095 + if (cap_raised(curracl->cap_invert_audit, cap))
51096 + cap_raise(cap_audit, cap);
51100 + if (!cap_raised(cap_drop, cap)) {
51101 + if (cap_raised(cap_audit, cap))
51102 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
51106 + curracl = task->acl;
51108 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
51109 + && cap_raised(cred->cap_effective, cap)) {
51110 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
51111 + task->role->roletype, cred->uid,
51112 + cred->gid, task->exec_file ?
51113 + gr_to_filename(task->exec_file->f_path.dentry,
51114 + task->exec_file->f_path.mnt) : curracl->filename,
51115 + curracl->filename, 0UL,
51116 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
51120 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
51121 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
51126 +gr_is_capable_nolog(const int cap)
51128 + struct acl_subject_label *curracl;
51129 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
51131 + if (!gr_acl_is_enabled())
51134 + curracl = current->acl;
51136 + cap_drop = curracl->cap_lower;
51137 + cap_mask = curracl->cap_mask;
51139 + while ((curracl = curracl->parent_subject)) {
51140 + /* if the cap isn't specified in the current computed mask but is specified in the
51141 + current level subject, and is lowered in the current level subject, then add
51142 + it to the set of dropped capabilities
51143 + otherwise, add the current level subject's mask to the current computed mask
51145 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
51146 + cap_raise(cap_mask, cap);
51147 + if (cap_raised(curracl->cap_lower, cap))
51148 + cap_raise(cap_drop, cap);
51152 + if (!cap_raised(cap_drop, cap))
51158 diff -urNp linux-2.6.32.43/grsecurity/gracl_fs.c linux-2.6.32.43/grsecurity/gracl_fs.c
51159 --- linux-2.6.32.43/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
51160 +++ linux-2.6.32.43/grsecurity/gracl_fs.c 2011-04-17 15:56:46.000000000 -0400
51162 +#include <linux/kernel.h>
51163 +#include <linux/sched.h>
51164 +#include <linux/types.h>
51165 +#include <linux/fs.h>
51166 +#include <linux/file.h>
51167 +#include <linux/stat.h>
51168 +#include <linux/grsecurity.h>
51169 +#include <linux/grinternal.h>
51170 +#include <linux/gracl.h>
51173 +gr_acl_handle_hidden_file(const struct dentry * dentry,
51174 + const struct vfsmount * mnt)
51178 + if (unlikely(!dentry->d_inode))
51182 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
51184 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
51185 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51187 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
51188 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
51190 + } else if (unlikely(!(mode & GR_FIND)))
51197 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
51200 + __u32 reqmode = GR_FIND;
51203 + if (unlikely(!dentry->d_inode))
51206 + if (unlikely(fmode & O_APPEND))
51207 + reqmode |= GR_APPEND;
51208 + else if (unlikely(fmode & FMODE_WRITE))
51209 + reqmode |= GR_WRITE;
51210 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
51211 + reqmode |= GR_READ;
51212 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
51213 + reqmode &= ~GR_READ;
51215 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51218 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51219 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51220 + reqmode & GR_READ ? " reading" : "",
51221 + reqmode & GR_WRITE ? " writing" : reqmode &
51222 + GR_APPEND ? " appending" : "");
51225 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51227 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
51228 + reqmode & GR_READ ? " reading" : "",
51229 + reqmode & GR_WRITE ? " writing" : reqmode &
51230 + GR_APPEND ? " appending" : "");
51232 + } else if (unlikely((mode & reqmode) != reqmode))
51239 +gr_acl_handle_creat(const struct dentry * dentry,
51240 + const struct dentry * p_dentry,
51241 + const struct vfsmount * p_mnt, const int fmode,
51244 + __u32 reqmode = GR_WRITE | GR_CREATE;
51247 + if (unlikely(fmode & O_APPEND))
51248 + reqmode |= GR_APPEND;
51249 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
51250 + reqmode |= GR_READ;
51251 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
51252 + reqmode |= GR_SETID;
51255 + gr_check_create(dentry, p_dentry, p_mnt,
51256 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51258 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51259 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51260 + reqmode & GR_READ ? " reading" : "",
51261 + reqmode & GR_WRITE ? " writing" : reqmode &
51262 + GR_APPEND ? " appending" : "");
51265 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51267 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
51268 + reqmode & GR_READ ? " reading" : "",
51269 + reqmode & GR_WRITE ? " writing" : reqmode &
51270 + GR_APPEND ? " appending" : "");
51272 + } else if (unlikely((mode & reqmode) != reqmode))
51279 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
51282 + __u32 mode, reqmode = GR_FIND;
51284 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
51285 + reqmode |= GR_EXEC;
51286 + if (fmode & S_IWOTH)
51287 + reqmode |= GR_WRITE;
51288 + if (fmode & S_IROTH)
51289 + reqmode |= GR_READ;
51292 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
51295 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
51296 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51297 + reqmode & GR_READ ? " reading" : "",
51298 + reqmode & GR_WRITE ? " writing" : "",
51299 + reqmode & GR_EXEC ? " executing" : "");
51302 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
51304 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
51305 + reqmode & GR_READ ? " reading" : "",
51306 + reqmode & GR_WRITE ? " writing" : "",
51307 + reqmode & GR_EXEC ? " executing" : "");
51309 + } else if (unlikely((mode & reqmode) != reqmode))
51315 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
51319 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
51321 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51322 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
51324 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51325 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
51327 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51330 + return (reqmode);
51334 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
51336 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
51340 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
51342 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
51346 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
51348 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
51352 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
51354 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
51358 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
51361 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
51364 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51365 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51366 + GR_FCHMOD_ACL_MSG);
51368 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
51373 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
51376 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
51377 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
51378 + GR_CHMOD_ACL_MSG);
51380 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
51385 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
51387 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
51391 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
51393 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
51397 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
51399 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
51403 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
51405 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
51406 + GR_UNIXCONNECT_ACL_MSG);
51409 +/* hardlinks require at minimum create permission,
51410 + any additional privilege required is based on the
51411 + privilege of the file being linked to
51414 +gr_acl_handle_link(const struct dentry * new_dentry,
51415 + const struct dentry * parent_dentry,
51416 + const struct vfsmount * parent_mnt,
51417 + const struct dentry * old_dentry,
51418 + const struct vfsmount * old_mnt, const char *to)
51421 + __u32 needmode = GR_CREATE | GR_LINK;
51422 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
51425 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
51428 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
51429 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51431 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51432 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
51434 + } else if (unlikely((mode & needmode) != needmode))
51441 +gr_acl_handle_symlink(const struct dentry * new_dentry,
51442 + const struct dentry * parent_dentry,
51443 + const struct vfsmount * parent_mnt, const char *from)
51445 + __u32 needmode = GR_WRITE | GR_CREATE;
51449 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
51450 + GR_CREATE | GR_AUDIT_CREATE |
51451 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
51453 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
51454 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51456 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
51457 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
51459 + } else if (unlikely((mode & needmode) != needmode))
51462 + return (GR_WRITE | GR_CREATE);
51465 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
51469 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
51471 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
51472 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
51474 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
51475 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
51477 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
51480 + return (reqmode);
51484 +gr_acl_handle_mknod(const struct dentry * new_dentry,
51485 + const struct dentry * parent_dentry,
51486 + const struct vfsmount * parent_mnt,
51489 + __u32 reqmode = GR_WRITE | GR_CREATE;
51490 + if (unlikely(mode & (S_ISUID | S_ISGID)))
51491 + reqmode |= GR_SETID;
51493 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51494 + reqmode, GR_MKNOD_ACL_MSG);
51498 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
51499 + const struct dentry *parent_dentry,
51500 + const struct vfsmount *parent_mnt)
51502 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
51503 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
51506 +#define RENAME_CHECK_SUCCESS(old, new) \
51507 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
51508 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
51511 +gr_acl_handle_rename(struct dentry *new_dentry,
51512 + struct dentry *parent_dentry,
51513 + const struct vfsmount *parent_mnt,
51514 + struct dentry *old_dentry,
51515 + struct inode *old_parent_inode,
51516 + struct vfsmount *old_mnt, const char *newname)
51518 + __u32 comp1, comp2;
51521 + if (unlikely(!gr_acl_is_enabled()))
51524 + if (!new_dentry->d_inode) {
51525 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
51526 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
51527 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
51528 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
51529 + GR_DELETE | GR_AUDIT_DELETE |
51530 + GR_AUDIT_READ | GR_AUDIT_WRITE |
51531 + GR_SUPPRESS, old_mnt);
51533 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
51534 + GR_CREATE | GR_DELETE |
51535 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
51536 + GR_AUDIT_READ | GR_AUDIT_WRITE |
51537 + GR_SUPPRESS, parent_mnt);
51539 + gr_search_file(old_dentry,
51540 + GR_READ | GR_WRITE | GR_AUDIT_READ |
51541 + GR_DELETE | GR_AUDIT_DELETE |
51542 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
51545 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
51546 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
51547 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51548 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
51549 + && !(comp2 & GR_SUPPRESS)) {
51550 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
51552 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
51559 +gr_acl_handle_exit(void)
51563 + struct file *exec_file;
51565 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
51566 + !(current->role->roletype & GR_ROLE_PERSIST))) {
51567 + id = current->acl_role_id;
51568 + rolename = current->role->rolename;
51570 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
51573 + write_lock(&grsec_exec_file_lock);
51574 + exec_file = current->exec_file;
51575 + current->exec_file = NULL;
51576 + write_unlock(&grsec_exec_file_lock);
51583 +gr_acl_handle_procpidmem(const struct task_struct *task)
51585 + if (unlikely(!gr_acl_is_enabled()))
51588 + if (task != current && task->acl->mode & GR_PROTPROCFD)
51593 diff -urNp linux-2.6.32.43/grsecurity/gracl_ip.c linux-2.6.32.43/grsecurity/gracl_ip.c
51594 --- linux-2.6.32.43/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
51595 +++ linux-2.6.32.43/grsecurity/gracl_ip.c 2011-04-17 15:56:46.000000000 -0400
51597 +#include <linux/kernel.h>
51598 +#include <asm/uaccess.h>
51599 +#include <asm/errno.h>
51600 +#include <net/sock.h>
51601 +#include <linux/file.h>
51602 +#include <linux/fs.h>
51603 +#include <linux/net.h>
51604 +#include <linux/in.h>
51605 +#include <linux/skbuff.h>
51606 +#include <linux/ip.h>
51607 +#include <linux/udp.h>
51608 +#include <linux/smp_lock.h>
51609 +#include <linux/types.h>
51610 +#include <linux/sched.h>
51611 +#include <linux/netdevice.h>
51612 +#include <linux/inetdevice.h>
51613 +#include <linux/gracl.h>
51614 +#include <linux/grsecurity.h>
51615 +#include <linux/grinternal.h>
51617 +#define GR_BIND 0x01
51618 +#define GR_CONNECT 0x02
51619 +#define GR_INVERT 0x04
51620 +#define GR_BINDOVERRIDE 0x08
51621 +#define GR_CONNECTOVERRIDE 0x10
51622 +#define GR_SOCK_FAMILY 0x20
51624 +static const char * gr_protocols[IPPROTO_MAX] = {
51625 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
51626 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
51627 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
51628 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
51629 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
51630 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
51631 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
51632 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
51633 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
51634 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
51635 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
51636 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
51637 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
51638 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
51639 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
51640 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
51641 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
51642 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
51643 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
51644 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
51645 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
51646 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
51647 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
51648 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
51649 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
51650 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
51651 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
51652 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
51653 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
51654 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
51655 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
51656 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
51659 +static const char * gr_socktypes[SOCK_MAX] = {
51660 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
51661 + "unknown:7", "unknown:8", "unknown:9", "packet"
51664 +static const char * gr_sockfamilies[AF_MAX+1] = {
51665 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
51666 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
51667 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
51668 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
51672 +gr_proto_to_name(unsigned char proto)
51674 + return gr_protocols[proto];
51678 +gr_socktype_to_name(unsigned char type)
51680 + return gr_socktypes[type];
51684 +gr_sockfamily_to_name(unsigned char family)
51686 + return gr_sockfamilies[family];
51690 +gr_search_socket(const int domain, const int type, const int protocol)
51692 + struct acl_subject_label *curr;
51693 + const struct cred *cred = current_cred();
51695 + if (unlikely(!gr_acl_is_enabled()))
51698 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
51699 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
51700 + goto exit; // let the kernel handle it
51702 + curr = current->acl;
51704 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
51705 + /* the family is allowed, if this is PF_INET allow it only if
51706 + the extra sock type/protocol checks pass */
51707 + if (domain == PF_INET)
51711 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
51712 + __u32 fakeip = 0;
51713 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
51714 + current->role->roletype, cred->uid,
51715 + cred->gid, current->exec_file ?
51716 + gr_to_filename(current->exec_file->f_path.dentry,
51717 + current->exec_file->f_path.mnt) :
51718 + curr->filename, curr->filename,
51719 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
51720 + ¤t->signal->saved_ip);
51727 + /* the rest of this checking is for IPv4 only */
51731 + if ((curr->ip_type & (1 << type)) &&
51732 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
51735 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
51736 + /* we don't place acls on raw sockets , and sometimes
51737 + dgram/ip sockets are opened for ioctl and not
51738 + bind/connect, so we'll fake a bind learn log */
51739 + if (type == SOCK_RAW || type == SOCK_PACKET) {
51740 + __u32 fakeip = 0;
51741 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
51742 + current->role->roletype, cred->uid,
51743 + cred->gid, current->exec_file ?
51744 + gr_to_filename(current->exec_file->f_path.dentry,
51745 + current->exec_file->f_path.mnt) :
51746 + curr->filename, curr->filename,
51747 + &fakeip, 0, type,
51748 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
51749 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
51750 + __u32 fakeip = 0;
51751 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
51752 + current->role->roletype, cred->uid,
51753 + cred->gid, current->exec_file ?
51754 + gr_to_filename(current->exec_file->f_path.dentry,
51755 + current->exec_file->f_path.mnt) :
51756 + curr->filename, curr->filename,
51757 + &fakeip, 0, type,
51758 + protocol, GR_BIND, ¤t->signal->saved_ip);
51760 + /* we'll log when they use connect or bind */
51765 + if (domain == PF_INET)
51766 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
51767 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
51769 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
51770 + gr_socktype_to_name(type), protocol);
51777 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
51779 + if ((ip->mode & mode) &&
51780 + (ip_port >= ip->low) &&
51781 + (ip_port <= ip->high) &&
51782 + ((ntohl(ip_addr) & our_netmask) ==
51783 + (ntohl(our_addr) & our_netmask))
51784 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
51785 + && (ip->type & (1 << type))) {
51786 + if (ip->mode & GR_INVERT)
51787 + return 2; // specifically denied
51789 + return 1; // allowed
51792 + return 0; // not specifically allowed, may continue parsing
51796 +gr_search_connectbind(const int full_mode, struct sock *sk,
51797 + struct sockaddr_in *addr, const int type)
51799 + char iface[IFNAMSIZ] = {0};
51800 + struct acl_subject_label *curr;
51801 + struct acl_ip_label *ip;
51802 + struct inet_sock *isk;
51803 + struct net_device *dev;
51804 + struct in_device *idev;
51807 + int mode = full_mode & (GR_BIND | GR_CONNECT);
51808 + __u32 ip_addr = 0;
51810 + __u32 our_netmask;
51812 + __u16 ip_port = 0;
51813 + const struct cred *cred = current_cred();
51815 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
51818 + curr = current->acl;
51819 + isk = inet_sk(sk);
51821 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
51822 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
51823 + addr->sin_addr.s_addr = curr->inaddr_any_override;
51824 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
51825 + struct sockaddr_in saddr;
51828 + saddr.sin_family = AF_INET;
51829 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
51830 + saddr.sin_port = isk->sport;
51832 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
51836 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
51844 + ip_addr = addr->sin_addr.s_addr;
51845 + ip_port = ntohs(addr->sin_port);
51847 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
51848 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
51849 + current->role->roletype, cred->uid,
51850 + cred->gid, current->exec_file ?
51851 + gr_to_filename(current->exec_file->f_path.dentry,
51852 + current->exec_file->f_path.mnt) :
51853 + curr->filename, curr->filename,
51854 + &ip_addr, ip_port, type,
51855 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
51859 + for (i = 0; i < curr->ip_num; i++) {
51860 + ip = *(curr->ips + i);
51861 + if (ip->iface != NULL) {
51862 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
51863 + p = strchr(iface, ':');
51866 + dev = dev_get_by_name(sock_net(sk), iface);
51869 + idev = in_dev_get(dev);
51870 + if (idev == NULL) {
51876 + if (!strcmp(ip->iface, ifa->ifa_label)) {
51877 + our_addr = ifa->ifa_address;
51878 + our_netmask = 0xffffffff;
51879 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
51881 + rcu_read_unlock();
51882 + in_dev_put(idev);
51885 + } else if (ret == 2) {
51886 + rcu_read_unlock();
51887 + in_dev_put(idev);
51892 + } endfor_ifa(idev);
51893 + rcu_read_unlock();
51894 + in_dev_put(idev);
51897 + our_addr = ip->addr;
51898 + our_netmask = ip->netmask;
51899 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
51902 + else if (ret == 2)
51908 + if (mode == GR_BIND)
51909 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
51910 + else if (mode == GR_CONNECT)
51911 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
51917 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
51919 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
51923 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
51925 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
51928 +int gr_search_listen(struct socket *sock)
51930 + struct sock *sk = sock->sk;
51931 + struct sockaddr_in addr;
51933 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
51934 + addr.sin_port = inet_sk(sk)->sport;
51936 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
51939 +int gr_search_accept(struct socket *sock)
51941 + struct sock *sk = sock->sk;
51942 + struct sockaddr_in addr;
51944 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
51945 + addr.sin_port = inet_sk(sk)->sport;
51947 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
51951 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
51954 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
51956 + struct sockaddr_in sin;
51957 + const struct inet_sock *inet = inet_sk(sk);
51959 + sin.sin_addr.s_addr = inet->daddr;
51960 + sin.sin_port = inet->dport;
51962 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
51967 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
51969 + struct sockaddr_in sin;
51971 + if (unlikely(skb->len < sizeof (struct udphdr)))
51972 + return 0; // skip this packet
51974 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
51975 + sin.sin_port = udp_hdr(skb)->source;
51977 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
51979 diff -urNp linux-2.6.32.43/grsecurity/gracl_learn.c linux-2.6.32.43/grsecurity/gracl_learn.c
51980 --- linux-2.6.32.43/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
51981 +++ linux-2.6.32.43/grsecurity/gracl_learn.c 2011-07-14 21:02:03.000000000 -0400
51983 +#include <linux/kernel.h>
51984 +#include <linux/mm.h>
51985 +#include <linux/sched.h>
51986 +#include <linux/poll.h>
51987 +#include <linux/smp_lock.h>
51988 +#include <linux/string.h>
51989 +#include <linux/file.h>
51990 +#include <linux/types.h>
51991 +#include <linux/vmalloc.h>
51992 +#include <linux/grinternal.h>
51994 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
51995 + size_t count, loff_t *ppos);
51996 +extern int gr_acl_is_enabled(void);
51998 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
51999 +static int gr_learn_attached;
52001 +/* use a 512k buffer */
52002 +#define LEARN_BUFFER_SIZE (512 * 1024)
52004 +static DEFINE_SPINLOCK(gr_learn_lock);
52005 +static DEFINE_MUTEX(gr_learn_user_mutex);
52007 +/* we need to maintain two buffers, so that the kernel context of grlearn
52008 + uses a semaphore around the userspace copying, and the other kernel contexts
52009 + use a spinlock when copying into the buffer, since they cannot sleep
52011 +static char *learn_buffer;
52012 +static char *learn_buffer_user;
52013 +static int learn_buffer_len;
52014 +static int learn_buffer_user_len;
52017 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
52019 + DECLARE_WAITQUEUE(wait, current);
52020 + ssize_t retval = 0;
52022 + add_wait_queue(&learn_wait, &wait);
52023 + set_current_state(TASK_INTERRUPTIBLE);
52025 + mutex_lock(&gr_learn_user_mutex);
52026 + spin_lock(&gr_learn_lock);
52027 + if (learn_buffer_len)
52029 + spin_unlock(&gr_learn_lock);
52030 + mutex_unlock(&gr_learn_user_mutex);
52031 + if (file->f_flags & O_NONBLOCK) {
52032 + retval = -EAGAIN;
52035 + if (signal_pending(current)) {
52036 + retval = -ERESTARTSYS;
52043 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
52044 + learn_buffer_user_len = learn_buffer_len;
52045 + retval = learn_buffer_len;
52046 + learn_buffer_len = 0;
52048 + spin_unlock(&gr_learn_lock);
52050 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
52051 + retval = -EFAULT;
52053 + mutex_unlock(&gr_learn_user_mutex);
52055 + set_current_state(TASK_RUNNING);
52056 + remove_wait_queue(&learn_wait, &wait);
52060 +static unsigned int
52061 +poll_learn(struct file * file, poll_table * wait)
52063 + poll_wait(file, &learn_wait, wait);
52065 + if (learn_buffer_len)
52066 + return (POLLIN | POLLRDNORM);
52072 +gr_clear_learn_entries(void)
52076 + mutex_lock(&gr_learn_user_mutex);
52077 + spin_lock(&gr_learn_lock);
52078 + tmp = learn_buffer;
52079 + learn_buffer = NULL;
52080 + spin_unlock(&gr_learn_lock);
52083 + if (learn_buffer_user != NULL) {
52084 + vfree(learn_buffer_user);
52085 + learn_buffer_user = NULL;
52087 + learn_buffer_len = 0;
52088 + mutex_unlock(&gr_learn_user_mutex);
52094 +gr_add_learn_entry(const char *fmt, ...)
52097 + unsigned int len;
52099 + if (!gr_learn_attached)
52102 + spin_lock(&gr_learn_lock);
52104 + /* leave a gap at the end so we know when it's "full" but don't have to
52105 + compute the exact length of the string we're trying to append
52107 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
52108 + spin_unlock(&gr_learn_lock);
52109 + wake_up_interruptible(&learn_wait);
52112 + if (learn_buffer == NULL) {
52113 + spin_unlock(&gr_learn_lock);
52117 + va_start(args, fmt);
52118 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
52121 + learn_buffer_len += len + 1;
52123 + spin_unlock(&gr_learn_lock);
52124 + wake_up_interruptible(&learn_wait);
52130 +open_learn(struct inode *inode, struct file *file)
52132 + if (file->f_mode & FMODE_READ && gr_learn_attached)
52134 + if (file->f_mode & FMODE_READ) {
52136 + mutex_lock(&gr_learn_user_mutex);
52137 + if (learn_buffer == NULL)
52138 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
52139 + if (learn_buffer_user == NULL)
52140 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
52141 + if (learn_buffer == NULL) {
52142 + retval = -ENOMEM;
52145 + if (learn_buffer_user == NULL) {
52146 + retval = -ENOMEM;
52149 + learn_buffer_len = 0;
52150 + learn_buffer_user_len = 0;
52151 + gr_learn_attached = 1;
52153 + mutex_unlock(&gr_learn_user_mutex);
52160 +close_learn(struct inode *inode, struct file *file)
52162 + if (file->f_mode & FMODE_READ) {
52163 + char *tmp = NULL;
52164 + mutex_lock(&gr_learn_user_mutex);
52165 + spin_lock(&gr_learn_lock);
52166 + tmp = learn_buffer;
52167 + learn_buffer = NULL;
52168 + spin_unlock(&gr_learn_lock);
52171 + if (learn_buffer_user != NULL) {
52172 + vfree(learn_buffer_user);
52173 + learn_buffer_user = NULL;
52175 + learn_buffer_len = 0;
52176 + learn_buffer_user_len = 0;
52177 + gr_learn_attached = 0;
52178 + mutex_unlock(&gr_learn_user_mutex);
52184 +const struct file_operations grsec_fops = {
52185 + .read = read_learn,
52186 + .write = write_grsec_handler,
52187 + .open = open_learn,
52188 + .release = close_learn,
52189 + .poll = poll_learn,
52191 diff -urNp linux-2.6.32.43/grsecurity/gracl_res.c linux-2.6.32.43/grsecurity/gracl_res.c
52192 --- linux-2.6.32.43/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
52193 +++ linux-2.6.32.43/grsecurity/gracl_res.c 2011-04-17 15:56:46.000000000 -0400
52195 +#include <linux/kernel.h>
52196 +#include <linux/sched.h>
52197 +#include <linux/gracl.h>
52198 +#include <linux/grinternal.h>
52200 +static const char *restab_log[] = {
52201 + [RLIMIT_CPU] = "RLIMIT_CPU",
52202 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
52203 + [RLIMIT_DATA] = "RLIMIT_DATA",
52204 + [RLIMIT_STACK] = "RLIMIT_STACK",
52205 + [RLIMIT_CORE] = "RLIMIT_CORE",
52206 + [RLIMIT_RSS] = "RLIMIT_RSS",
52207 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
52208 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
52209 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
52210 + [RLIMIT_AS] = "RLIMIT_AS",
52211 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
52212 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
52213 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
52214 + [RLIMIT_NICE] = "RLIMIT_NICE",
52215 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
52216 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
52217 + [GR_CRASH_RES] = "RLIMIT_CRASH"
52221 +gr_log_resource(const struct task_struct *task,
52222 + const int res, const unsigned long wanted, const int gt)
52224 + const struct cred *cred;
52225 + unsigned long rlim;
52227 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
52230 + // not yet supported resource
52231 + if (unlikely(!restab_log[res]))
52234 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
52235 + rlim = task->signal->rlim[res].rlim_max;
52237 + rlim = task->signal->rlim[res].rlim_cur;
52238 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
52242 + cred = __task_cred(task);
52244 + if (res == RLIMIT_NPROC &&
52245 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
52246 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
52247 + goto out_rcu_unlock;
52248 + else if (res == RLIMIT_MEMLOCK &&
52249 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
52250 + goto out_rcu_unlock;
52251 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
52252 + goto out_rcu_unlock;
52253 + rcu_read_unlock();
52255 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
52259 + rcu_read_unlock();
52262 diff -urNp linux-2.6.32.43/grsecurity/gracl_segv.c linux-2.6.32.43/grsecurity/gracl_segv.c
52263 --- linux-2.6.32.43/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
52264 +++ linux-2.6.32.43/grsecurity/gracl_segv.c 2011-04-17 15:56:46.000000000 -0400
52266 +#include <linux/kernel.h>
52267 +#include <linux/mm.h>
52268 +#include <asm/uaccess.h>
52269 +#include <asm/errno.h>
52270 +#include <asm/mman.h>
52271 +#include <net/sock.h>
52272 +#include <linux/file.h>
52273 +#include <linux/fs.h>
52274 +#include <linux/net.h>
52275 +#include <linux/in.h>
52276 +#include <linux/smp_lock.h>
52277 +#include <linux/slab.h>
52278 +#include <linux/types.h>
52279 +#include <linux/sched.h>
52280 +#include <linux/timer.h>
52281 +#include <linux/gracl.h>
52282 +#include <linux/grsecurity.h>
52283 +#include <linux/grinternal.h>
52285 +static struct crash_uid *uid_set;
52286 +static unsigned short uid_used;
52287 +static DEFINE_SPINLOCK(gr_uid_lock);
52288 +extern rwlock_t gr_inode_lock;
52289 +extern struct acl_subject_label *
52290 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
52291 + struct acl_role_label *role);
52292 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
52295 +gr_init_uidset(void)
52298 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
52301 + return uid_set ? 1 : 0;
52305 +gr_free_uidset(void)
52314 +gr_find_uid(const uid_t uid)
52316 + struct crash_uid *tmp = uid_set;
52318 + int low = 0, high = uid_used - 1, mid;
52320 + while (high >= low) {
52321 + mid = (low + high) >> 1;
52322 + buid = tmp[mid].uid;
52334 +static __inline__ void
52335 +gr_insertsort(void)
52337 + unsigned short i, j;
52338 + struct crash_uid index;
52340 + for (i = 1; i < uid_used; i++) {
52341 + index = uid_set[i];
52343 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
52344 + uid_set[j] = uid_set[j - 1];
52347 + uid_set[j] = index;
52353 +static __inline__ void
52354 +gr_insert_uid(const uid_t uid, const unsigned long expires)
52358 + if (uid_used == GR_UIDTABLE_MAX)
52361 + loc = gr_find_uid(uid);
52364 + uid_set[loc].expires = expires;
52368 + uid_set[uid_used].uid = uid;
52369 + uid_set[uid_used].expires = expires;
52378 +gr_remove_uid(const unsigned short loc)
52380 + unsigned short i;
52382 + for (i = loc + 1; i < uid_used; i++)
52383 + uid_set[i - 1] = uid_set[i];
52391 +gr_check_crash_uid(const uid_t uid)
52396 + if (unlikely(!gr_acl_is_enabled()))
52399 + spin_lock(&gr_uid_lock);
52400 + loc = gr_find_uid(uid);
52405 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
52406 + gr_remove_uid(loc);
52411 + spin_unlock(&gr_uid_lock);
52415 +static __inline__ int
52416 +proc_is_setxid(const struct cred *cred)
52418 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
52419 + cred->uid != cred->fsuid)
52421 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
52422 + cred->gid != cred->fsgid)
52429 +gr_handle_crash(struct task_struct *task, const int sig)
52431 + struct acl_subject_label *curr;
52432 + struct acl_subject_label *curr2;
52433 + struct task_struct *tsk, *tsk2;
52434 + const struct cred *cred;
52435 + const struct cred *cred2;
52437 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
52440 + if (unlikely(!gr_acl_is_enabled()))
52443 + curr = task->acl;
52445 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
52448 + if (time_before_eq(curr->expires, get_seconds())) {
52449 + curr->expires = 0;
52450 + curr->crashes = 0;
52455 + if (!curr->expires)
52456 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
52458 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52459 + time_after(curr->expires, get_seconds())) {
52461 + cred = __task_cred(task);
52462 + if (cred->uid && proc_is_setxid(cred)) {
52463 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52464 + spin_lock(&gr_uid_lock);
52465 + gr_insert_uid(cred->uid, curr->expires);
52466 + spin_unlock(&gr_uid_lock);
52467 + curr->expires = 0;
52468 + curr->crashes = 0;
52469 + read_lock(&tasklist_lock);
52470 + do_each_thread(tsk2, tsk) {
52471 + cred2 = __task_cred(tsk);
52472 + if (tsk != task && cred2->uid == cred->uid)
52473 + gr_fake_force_sig(SIGKILL, tsk);
52474 + } while_each_thread(tsk2, tsk);
52475 + read_unlock(&tasklist_lock);
52477 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
52478 + read_lock(&tasklist_lock);
52479 + do_each_thread(tsk2, tsk) {
52480 + if (likely(tsk != task)) {
52481 + curr2 = tsk->acl;
52483 + if (curr2->device == curr->device &&
52484 + curr2->inode == curr->inode)
52485 + gr_fake_force_sig(SIGKILL, tsk);
52487 + } while_each_thread(tsk2, tsk);
52488 + read_unlock(&tasklist_lock);
52490 + rcu_read_unlock();
52497 +gr_check_crash_exec(const struct file *filp)
52499 + struct acl_subject_label *curr;
52501 + if (unlikely(!gr_acl_is_enabled()))
52504 + read_lock(&gr_inode_lock);
52505 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
52506 + filp->f_path.dentry->d_inode->i_sb->s_dev,
52508 + read_unlock(&gr_inode_lock);
52510 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
52511 + (!curr->crashes && !curr->expires))
52514 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
52515 + time_after(curr->expires, get_seconds()))
52517 + else if (time_before_eq(curr->expires, get_seconds())) {
52518 + curr->crashes = 0;
52519 + curr->expires = 0;
52526 +gr_handle_alertkill(struct task_struct *task)
52528 + struct acl_subject_label *curracl;
52530 + struct task_struct *p, *p2;
52532 + if (unlikely(!gr_acl_is_enabled()))
52535 + curracl = task->acl;
52536 + curr_ip = task->signal->curr_ip;
52538 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
52539 + read_lock(&tasklist_lock);
52540 + do_each_thread(p2, p) {
52541 + if (p->signal->curr_ip == curr_ip)
52542 + gr_fake_force_sig(SIGKILL, p);
52543 + } while_each_thread(p2, p);
52544 + read_unlock(&tasklist_lock);
52545 + } else if (curracl->mode & GR_KILLPROC)
52546 + gr_fake_force_sig(SIGKILL, task);
52550 diff -urNp linux-2.6.32.43/grsecurity/gracl_shm.c linux-2.6.32.43/grsecurity/gracl_shm.c
52551 --- linux-2.6.32.43/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
52552 +++ linux-2.6.32.43/grsecurity/gracl_shm.c 2011-04-17 15:56:46.000000000 -0400
52554 +#include <linux/kernel.h>
52555 +#include <linux/mm.h>
52556 +#include <linux/sched.h>
52557 +#include <linux/file.h>
52558 +#include <linux/ipc.h>
52559 +#include <linux/gracl.h>
52560 +#include <linux/grsecurity.h>
52561 +#include <linux/grinternal.h>
52564 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
52565 + const time_t shm_createtime, const uid_t cuid, const int shmid)
52567 + struct task_struct *task;
52569 + if (!gr_acl_is_enabled())
52573 + read_lock(&tasklist_lock);
52575 + task = find_task_by_vpid(shm_cprid);
52577 + if (unlikely(!task))
52578 + task = find_task_by_vpid(shm_lapid);
52580 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
52581 + (task->pid == shm_lapid)) &&
52582 + (task->acl->mode & GR_PROTSHM) &&
52583 + (task->acl != current->acl))) {
52584 + read_unlock(&tasklist_lock);
52585 + rcu_read_unlock();
52586 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
52589 + read_unlock(&tasklist_lock);
52590 + rcu_read_unlock();
52594 diff -urNp linux-2.6.32.43/grsecurity/grsec_chdir.c linux-2.6.32.43/grsecurity/grsec_chdir.c
52595 --- linux-2.6.32.43/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
52596 +++ linux-2.6.32.43/grsecurity/grsec_chdir.c 2011-04-17 15:56:46.000000000 -0400
52598 +#include <linux/kernel.h>
52599 +#include <linux/sched.h>
52600 +#include <linux/fs.h>
52601 +#include <linux/file.h>
52602 +#include <linux/grsecurity.h>
52603 +#include <linux/grinternal.h>
52606 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
52608 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
52609 + if ((grsec_enable_chdir && grsec_enable_group &&
52610 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
52611 + !grsec_enable_group)) {
52612 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
52617 diff -urNp linux-2.6.32.43/grsecurity/grsec_chroot.c linux-2.6.32.43/grsecurity/grsec_chroot.c
52618 --- linux-2.6.32.43/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
52619 +++ linux-2.6.32.43/grsecurity/grsec_chroot.c 2011-07-18 17:14:10.000000000 -0400
52621 +#include <linux/kernel.h>
52622 +#include <linux/module.h>
52623 +#include <linux/sched.h>
52624 +#include <linux/file.h>
52625 +#include <linux/fs.h>
52626 +#include <linux/mount.h>
52627 +#include <linux/types.h>
52628 +#include <linux/pid_namespace.h>
52629 +#include <linux/grsecurity.h>
52630 +#include <linux/grinternal.h>
52632 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
52634 +#ifdef CONFIG_GRKERNSEC
52635 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
52636 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
52637 + task->gr_is_chrooted = 1;
52639 + task->gr_is_chrooted = 0;
52641 + task->gr_chroot_dentry = path->dentry;
52646 +void gr_clear_chroot_entries(struct task_struct *task)
52648 +#ifdef CONFIG_GRKERNSEC
52649 + task->gr_is_chrooted = 0;
52650 + task->gr_chroot_dentry = NULL;
52656 +gr_handle_chroot_unix(const pid_t pid)
52658 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
52659 + struct task_struct *p;
52661 + if (unlikely(!grsec_enable_chroot_unix))
52664 + if (likely(!proc_is_chrooted(current)))
52668 + read_lock(&tasklist_lock);
52670 + p = find_task_by_vpid_unrestricted(pid);
52671 + if (unlikely(p && !have_same_root(current, p))) {
52672 + read_unlock(&tasklist_lock);
52673 + rcu_read_unlock();
52674 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
52677 + read_unlock(&tasklist_lock);
52678 + rcu_read_unlock();
52684 +gr_handle_chroot_nice(void)
52686 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
52687 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
52688 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
52696 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
52698 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
52699 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
52700 + && proc_is_chrooted(current)) {
52701 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
52709 +gr_handle_chroot_rawio(const struct inode *inode)
52711 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52712 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
52713 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
52720 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
52722 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
52723 + struct task_struct *p;
52725 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
52728 + read_lock(&tasklist_lock);
52729 + do_each_pid_task(pid, type, p) {
52730 + if (!have_same_root(current, p)) {
52734 + } while_each_pid_task(pid, type, p);
52736 + read_unlock(&tasklist_lock);
52743 +gr_pid_is_chrooted(struct task_struct *p)
52745 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
52746 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
52749 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
52750 + !have_same_root(current, p)) {
52757 +EXPORT_SYMBOL(gr_pid_is_chrooted);
52759 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
52760 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
52762 + struct dentry *dentry = (struct dentry *)u_dentry;
52763 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
52764 + struct dentry *realroot;
52765 + struct vfsmount *realrootmnt;
52766 + struct dentry *currentroot;
52767 + struct vfsmount *currentmnt;
52768 + struct task_struct *reaper = &init_task;
52771 + read_lock(&reaper->fs->lock);
52772 + realrootmnt = mntget(reaper->fs->root.mnt);
52773 + realroot = dget(reaper->fs->root.dentry);
52774 + read_unlock(&reaper->fs->lock);
52776 + read_lock(¤t->fs->lock);
52777 + currentmnt = mntget(current->fs->root.mnt);
52778 + currentroot = dget(current->fs->root.dentry);
52779 + read_unlock(¤t->fs->lock);
52781 + spin_lock(&dcache_lock);
52783 + if (unlikely((dentry == realroot && mnt == realrootmnt)
52784 + || (dentry == currentroot && mnt == currentmnt)))
52786 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
52787 + if (mnt->mnt_parent == mnt)
52789 + dentry = mnt->mnt_mountpoint;
52790 + mnt = mnt->mnt_parent;
52793 + dentry = dentry->d_parent;
52795 + spin_unlock(&dcache_lock);
52797 + dput(currentroot);
52798 + mntput(currentmnt);
52800 + /* access is outside of chroot */
52801 + if (dentry == realroot && mnt == realrootmnt)
52805 + mntput(realrootmnt);
52811 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
52813 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
52814 + if (!grsec_enable_chroot_fchdir)
52817 + if (!proc_is_chrooted(current))
52819 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
52820 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
52828 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
52829 + const time_t shm_createtime)
52831 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
52832 + struct task_struct *p;
52833 + time_t starttime;
52835 + if (unlikely(!grsec_enable_chroot_shmat))
52838 + if (likely(!proc_is_chrooted(current)))
52842 + read_lock(&tasklist_lock);
52844 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
52845 + starttime = p->start_time.tv_sec;
52846 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
52847 + if (have_same_root(current, p)) {
52850 + read_unlock(&tasklist_lock);
52851 + rcu_read_unlock();
52852 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
52856 + /* creator exited, pid reuse, fall through to next check */
52858 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
52859 + if (unlikely(!have_same_root(current, p))) {
52860 + read_unlock(&tasklist_lock);
52861 + rcu_read_unlock();
52862 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
52868 + read_unlock(&tasklist_lock);
52869 + rcu_read_unlock();
52875 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
52877 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
52878 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
52879 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
52885 +gr_handle_chroot_mknod(const struct dentry *dentry,
52886 + const struct vfsmount *mnt, const int mode)
52888 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
52889 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
52890 + proc_is_chrooted(current)) {
52891 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
52899 +gr_handle_chroot_mount(const struct dentry *dentry,
52900 + const struct vfsmount *mnt, const char *dev_name)
52902 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
52903 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
52904 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
52912 +gr_handle_chroot_pivot(void)
52914 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
52915 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
52916 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
52924 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
52926 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
52927 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
52928 + !gr_is_outside_chroot(dentry, mnt)) {
52929 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
52937 +gr_handle_chroot_caps(struct path *path)
52939 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52940 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
52941 + (init_task.fs->root.dentry != path->dentry) &&
52942 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
52944 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
52945 + const struct cred *old = current_cred();
52946 + struct cred *new = prepare_creds();
52950 + new->cap_permitted = cap_drop(old->cap_permitted,
52952 + new->cap_inheritable = cap_drop(old->cap_inheritable,
52954 + new->cap_effective = cap_drop(old->cap_effective,
52957 + commit_creds(new);
52966 +gr_handle_chroot_sysctl(const int op)
52968 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
52969 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
52970 + && (op & MAY_WRITE))
52977 +gr_handle_chroot_chdir(struct path *path)
52979 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
52980 + if (grsec_enable_chroot_chdir)
52981 + set_fs_pwd(current->fs, path);
52987 +gr_handle_chroot_chmod(const struct dentry *dentry,
52988 + const struct vfsmount *mnt, const int mode)
52990 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
52991 + /* allow chmod +s on directories, but not on files */
52992 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
52993 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
52994 + proc_is_chrooted(current)) {
52995 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
53002 +#ifdef CONFIG_SECURITY
53003 +EXPORT_SYMBOL(gr_handle_chroot_caps);
53005 diff -urNp linux-2.6.32.43/grsecurity/grsec_disabled.c linux-2.6.32.43/grsecurity/grsec_disabled.c
53006 --- linux-2.6.32.43/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
53007 +++ linux-2.6.32.43/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400
53009 +#include <linux/kernel.h>
53010 +#include <linux/module.h>
53011 +#include <linux/sched.h>
53012 +#include <linux/file.h>
53013 +#include <linux/fs.h>
53014 +#include <linux/kdev_t.h>
53015 +#include <linux/net.h>
53016 +#include <linux/in.h>
53017 +#include <linux/ip.h>
53018 +#include <linux/skbuff.h>
53019 +#include <linux/sysctl.h>
53021 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
53023 +pax_set_initial_flags(struct linux_binprm *bprm)
53029 +#ifdef CONFIG_SYSCTL
53031 +gr_handle_sysctl(const struct ctl_table * table, const int op)
53037 +#ifdef CONFIG_TASKSTATS
53038 +int gr_is_taskstats_denied(int pid)
53045 +gr_acl_is_enabled(void)
53051 +gr_handle_rawio(const struct inode *inode)
53057 +gr_acl_handle_psacct(struct task_struct *task, const long code)
53063 +gr_handle_ptrace(struct task_struct *task, const long request)
53069 +gr_handle_proc_ptrace(struct task_struct *task)
53075 +gr_learn_resource(const struct task_struct *task,
53076 + const int res, const unsigned long wanted, const int gt)
53082 +gr_set_acls(const int type)
53088 +gr_check_hidden_task(const struct task_struct *tsk)
53094 +gr_check_protected_task(const struct task_struct *task)
53100 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
53106 +gr_copy_label(struct task_struct *tsk)
53112 +gr_set_pax_flags(struct task_struct *task)
53118 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
53119 + const int unsafe_share)
53125 +gr_handle_delete(const ino_t ino, const dev_t dev)
53131 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
53137 +gr_handle_crash(struct task_struct *task, const int sig)
53143 +gr_check_crash_exec(const struct file *filp)
53149 +gr_check_crash_uid(const uid_t uid)
53155 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
53156 + struct dentry *old_dentry,
53157 + struct dentry *new_dentry,
53158 + struct vfsmount *mnt, const __u8 replace)
53164 +gr_search_socket(const int family, const int type, const int protocol)
53170 +gr_search_connectbind(const int mode, const struct socket *sock,
53171 + const struct sockaddr_in *addr)
53177 +gr_is_capable(const int cap)
53183 +gr_is_capable_nolog(const int cap)
53189 +gr_handle_alertkill(struct task_struct *task)
53195 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
53201 +gr_acl_handle_hidden_file(const struct dentry * dentry,
53202 + const struct vfsmount * mnt)
53208 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
53215 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
53221 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
53227 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
53228 + unsigned int *vm_flags)
53234 +gr_acl_handle_truncate(const struct dentry * dentry,
53235 + const struct vfsmount * mnt)
53241 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
53247 +gr_acl_handle_access(const struct dentry * dentry,
53248 + const struct vfsmount * mnt, const int fmode)
53254 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
53261 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
53268 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
53274 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
53280 +grsecurity_init(void)
53286 +gr_acl_handle_mknod(const struct dentry * new_dentry,
53287 + const struct dentry * parent_dentry,
53288 + const struct vfsmount * parent_mnt,
53295 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
53296 + const struct dentry * parent_dentry,
53297 + const struct vfsmount * parent_mnt)
53303 +gr_acl_handle_symlink(const struct dentry * new_dentry,
53304 + const struct dentry * parent_dentry,
53305 + const struct vfsmount * parent_mnt, const char *from)
53311 +gr_acl_handle_link(const struct dentry * new_dentry,
53312 + const struct dentry * parent_dentry,
53313 + const struct vfsmount * parent_mnt,
53314 + const struct dentry * old_dentry,
53315 + const struct vfsmount * old_mnt, const char *to)
53321 +gr_acl_handle_rename(const struct dentry *new_dentry,
53322 + const struct dentry *parent_dentry,
53323 + const struct vfsmount *parent_mnt,
53324 + const struct dentry *old_dentry,
53325 + const struct inode *old_parent_inode,
53326 + const struct vfsmount *old_mnt, const char *newname)
53332 +gr_acl_handle_filldir(const struct file *file, const char *name,
53333 + const int namelen, const ino_t ino)
53339 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
53340 + const time_t shm_createtime, const uid_t cuid, const int shmid)
53346 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
53352 +gr_search_accept(const struct socket *sock)
53358 +gr_search_listen(const struct socket *sock)
53364 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
53370 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
53376 +gr_acl_handle_creat(const struct dentry * dentry,
53377 + const struct dentry * p_dentry,
53378 + const struct vfsmount * p_mnt, const int fmode,
53385 +gr_acl_handle_exit(void)
53391 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
53397 +gr_set_role_label(const uid_t uid, const gid_t gid)
53403 +gr_acl_handle_procpidmem(const struct task_struct *task)
53409 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
53415 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
53421 +gr_set_kernel_label(struct task_struct *task)
53427 +gr_check_user_change(int real, int effective, int fs)
53433 +gr_check_group_change(int real, int effective, int fs)
53438 +int gr_acl_enable_at_secure(void)
53443 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
53445 + return dentry->d_inode->i_sb->s_dev;
53448 +EXPORT_SYMBOL(gr_is_capable);
53449 +EXPORT_SYMBOL(gr_is_capable_nolog);
53450 +EXPORT_SYMBOL(gr_learn_resource);
53451 +EXPORT_SYMBOL(gr_set_kernel_label);
53452 +#ifdef CONFIG_SECURITY
53453 +EXPORT_SYMBOL(gr_check_user_change);
53454 +EXPORT_SYMBOL(gr_check_group_change);
53456 diff -urNp linux-2.6.32.43/grsecurity/grsec_exec.c linux-2.6.32.43/grsecurity/grsec_exec.c
53457 --- linux-2.6.32.43/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
53458 +++ linux-2.6.32.43/grsecurity/grsec_exec.c 2011-04-17 15:56:46.000000000 -0400
53460 +#include <linux/kernel.h>
53461 +#include <linux/sched.h>
53462 +#include <linux/file.h>
53463 +#include <linux/binfmts.h>
53464 +#include <linux/smp_lock.h>
53465 +#include <linux/fs.h>
53466 +#include <linux/types.h>
53467 +#include <linux/grdefs.h>
53468 +#include <linux/grinternal.h>
53469 +#include <linux/capability.h>
53470 +#include <linux/compat.h>
53472 +#include <asm/uaccess.h>
53474 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53475 +static char gr_exec_arg_buf[132];
53476 +static DEFINE_MUTEX(gr_exec_arg_mutex);
53480 +gr_handle_nproc(void)
53482 +#ifdef CONFIG_GRKERNSEC_EXECVE
53483 + const struct cred *cred = current_cred();
53484 + if (grsec_enable_execve && cred->user &&
53485 + (atomic_read(&cred->user->processes) >
53486 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
53487 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
53488 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
53496 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
53498 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53499 + char *grarg = gr_exec_arg_buf;
53500 + unsigned int i, x, execlen = 0;
53503 + if (!((grsec_enable_execlog && grsec_enable_group &&
53504 + in_group_p(grsec_audit_gid))
53505 + || (grsec_enable_execlog && !grsec_enable_group)))
53508 + mutex_lock(&gr_exec_arg_mutex);
53509 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
53511 + if (unlikely(argv == NULL))
53514 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
53515 + const char __user *p;
53516 + unsigned int len;
53518 + if (copy_from_user(&p, argv + i, sizeof(p)))
53522 + len = strnlen_user(p, 128 - execlen);
53523 + if (len > 128 - execlen)
53524 + len = 128 - execlen;
53525 + else if (len > 0)
53527 + if (copy_from_user(grarg + execlen, p, len))
53530 + /* rewrite unprintable characters */
53531 + for (x = 0; x < len; x++) {
53532 + c = *(grarg + execlen + x);
53533 + if (c < 32 || c > 126)
53534 + *(grarg + execlen + x) = ' ';
53538 + *(grarg + execlen) = ' ';
53539 + *(grarg + execlen + 1) = '\0';
53544 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
53545 + bprm->file->f_path.mnt, grarg);
53546 + mutex_unlock(&gr_exec_arg_mutex);
53551 +#ifdef CONFIG_COMPAT
53553 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
53555 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53556 + char *grarg = gr_exec_arg_buf;
53557 + unsigned int i, x, execlen = 0;
53560 + if (!((grsec_enable_execlog && grsec_enable_group &&
53561 + in_group_p(grsec_audit_gid))
53562 + || (grsec_enable_execlog && !grsec_enable_group)))
53565 + mutex_lock(&gr_exec_arg_mutex);
53566 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
53568 + if (unlikely(argv == NULL))
53571 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
53573 + unsigned int len;
53575 + if (get_user(p, argv + i))
53577 + len = strnlen_user(compat_ptr(p), 128 - execlen);
53578 + if (len > 128 - execlen)
53579 + len = 128 - execlen;
53580 + else if (len > 0)
53584 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
53587 + /* rewrite unprintable characters */
53588 + for (x = 0; x < len; x++) {
53589 + c = *(grarg + execlen + x);
53590 + if (c < 32 || c > 126)
53591 + *(grarg + execlen + x) = ' ';
53595 + *(grarg + execlen) = ' ';
53596 + *(grarg + execlen + 1) = '\0';
53601 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
53602 + bprm->file->f_path.mnt, grarg);
53603 + mutex_unlock(&gr_exec_arg_mutex);
53608 diff -urNp linux-2.6.32.43/grsecurity/grsec_fifo.c linux-2.6.32.43/grsecurity/grsec_fifo.c
53609 --- linux-2.6.32.43/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
53610 +++ linux-2.6.32.43/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
53612 +#include <linux/kernel.h>
53613 +#include <linux/sched.h>
53614 +#include <linux/fs.h>
53615 +#include <linux/file.h>
53616 +#include <linux/grinternal.h>
53619 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
53620 + const struct dentry *dir, const int flag, const int acc_mode)
53622 +#ifdef CONFIG_GRKERNSEC_FIFO
53623 + const struct cred *cred = current_cred();
53625 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
53626 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
53627 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
53628 + (cred->fsuid != dentry->d_inode->i_uid)) {
53629 + if (!inode_permission(dentry->d_inode, acc_mode))
53630 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
53636 diff -urNp linux-2.6.32.43/grsecurity/grsec_fork.c linux-2.6.32.43/grsecurity/grsec_fork.c
53637 --- linux-2.6.32.43/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
53638 +++ linux-2.6.32.43/grsecurity/grsec_fork.c 2011-04-17 15:56:46.000000000 -0400
53640 +#include <linux/kernel.h>
53641 +#include <linux/sched.h>
53642 +#include <linux/grsecurity.h>
53643 +#include <linux/grinternal.h>
53644 +#include <linux/errno.h>
53647 +gr_log_forkfail(const int retval)
53649 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
53650 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
53651 + switch (retval) {
53653 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
53656 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
53663 diff -urNp linux-2.6.32.43/grsecurity/grsec_init.c linux-2.6.32.43/grsecurity/grsec_init.c
53664 --- linux-2.6.32.43/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
53665 +++ linux-2.6.32.43/grsecurity/grsec_init.c 2011-06-29 19:35:26.000000000 -0400
53667 +#include <linux/kernel.h>
53668 +#include <linux/sched.h>
53669 +#include <linux/mm.h>
53670 +#include <linux/smp_lock.h>
53671 +#include <linux/gracl.h>
53672 +#include <linux/slab.h>
53673 +#include <linux/vmalloc.h>
53674 +#include <linux/percpu.h>
53675 +#include <linux/module.h>
53677 +int grsec_enable_brute;
53678 +int grsec_enable_link;
53679 +int grsec_enable_dmesg;
53680 +int grsec_enable_harden_ptrace;
53681 +int grsec_enable_fifo;
53682 +int grsec_enable_execve;
53683 +int grsec_enable_execlog;
53684 +int grsec_enable_signal;
53685 +int grsec_enable_forkfail;
53686 +int grsec_enable_audit_ptrace;
53687 +int grsec_enable_time;
53688 +int grsec_enable_audit_textrel;
53689 +int grsec_enable_group;
53690 +int grsec_audit_gid;
53691 +int grsec_enable_chdir;
53692 +int grsec_enable_mount;
53693 +int grsec_enable_rofs;
53694 +int grsec_enable_chroot_findtask;
53695 +int grsec_enable_chroot_mount;
53696 +int grsec_enable_chroot_shmat;
53697 +int grsec_enable_chroot_fchdir;
53698 +int grsec_enable_chroot_double;
53699 +int grsec_enable_chroot_pivot;
53700 +int grsec_enable_chroot_chdir;
53701 +int grsec_enable_chroot_chmod;
53702 +int grsec_enable_chroot_mknod;
53703 +int grsec_enable_chroot_nice;
53704 +int grsec_enable_chroot_execlog;
53705 +int grsec_enable_chroot_caps;
53706 +int grsec_enable_chroot_sysctl;
53707 +int grsec_enable_chroot_unix;
53708 +int grsec_enable_tpe;
53709 +int grsec_tpe_gid;
53710 +int grsec_enable_blackhole;
53711 +#ifdef CONFIG_IPV6_MODULE
53712 +EXPORT_SYMBOL(grsec_enable_blackhole);
53714 +int grsec_lastack_retries;
53715 +int grsec_enable_tpe_all;
53716 +int grsec_enable_tpe_invert;
53717 +int grsec_enable_socket_all;
53718 +int grsec_socket_all_gid;
53719 +int grsec_enable_socket_client;
53720 +int grsec_socket_client_gid;
53721 +int grsec_enable_socket_server;
53722 +int grsec_socket_server_gid;
53723 +int grsec_resource_logging;
53724 +int grsec_disable_privio;
53725 +int grsec_enable_log_rwxmaps;
53728 +DEFINE_SPINLOCK(grsec_alert_lock);
53729 +unsigned long grsec_alert_wtime = 0;
53730 +unsigned long grsec_alert_fyet = 0;
53732 +DEFINE_SPINLOCK(grsec_audit_lock);
53734 +DEFINE_RWLOCK(grsec_exec_file_lock);
53736 +char *gr_shared_page[4];
53738 +char *gr_alert_log_fmt;
53739 +char *gr_audit_log_fmt;
53740 +char *gr_alert_log_buf;
53741 +char *gr_audit_log_buf;
53743 +extern struct gr_arg *gr_usermode;
53744 +extern unsigned char *gr_system_salt;
53745 +extern unsigned char *gr_system_sum;
53748 +grsecurity_init(void)
53751 + /* create the per-cpu shared pages */
53754 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
53757 + for (j = 0; j < 4; j++) {
53758 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
53759 + if (gr_shared_page[j] == NULL) {
53760 + panic("Unable to allocate grsecurity shared page");
53765 + /* allocate log buffers */
53766 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
53767 + if (!gr_alert_log_fmt) {
53768 + panic("Unable to allocate grsecurity alert log format buffer");
53771 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
53772 + if (!gr_audit_log_fmt) {
53773 + panic("Unable to allocate grsecurity audit log format buffer");
53776 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
53777 + if (!gr_alert_log_buf) {
53778 + panic("Unable to allocate grsecurity alert log buffer");
53781 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
53782 + if (!gr_audit_log_buf) {
53783 + panic("Unable to allocate grsecurity audit log buffer");
53787 + /* allocate memory for authentication structure */
53788 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
53789 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
53790 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
53792 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
53793 + panic("Unable to allocate grsecurity authentication structure");
53798 +#ifdef CONFIG_GRKERNSEC_IO
53799 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
53800 + grsec_disable_privio = 1;
53801 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
53802 + grsec_disable_privio = 1;
53804 + grsec_disable_privio = 0;
53808 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
53809 + /* for backward compatibility, tpe_invert always defaults to on if
53810 + enabled in the kernel
53812 + grsec_enable_tpe_invert = 1;
53815 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
53816 +#ifndef CONFIG_GRKERNSEC_SYSCTL
53820 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
53821 + grsec_enable_audit_textrel = 1;
53823 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
53824 + grsec_enable_log_rwxmaps = 1;
53826 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
53827 + grsec_enable_group = 1;
53828 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
53830 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
53831 + grsec_enable_chdir = 1;
53833 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
53834 + grsec_enable_harden_ptrace = 1;
53836 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
53837 + grsec_enable_mount = 1;
53839 +#ifdef CONFIG_GRKERNSEC_LINK
53840 + grsec_enable_link = 1;
53842 +#ifdef CONFIG_GRKERNSEC_BRUTE
53843 + grsec_enable_brute = 1;
53845 +#ifdef CONFIG_GRKERNSEC_DMESG
53846 + grsec_enable_dmesg = 1;
53848 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
53849 + grsec_enable_blackhole = 1;
53850 + grsec_lastack_retries = 4;
53852 +#ifdef CONFIG_GRKERNSEC_FIFO
53853 + grsec_enable_fifo = 1;
53855 +#ifdef CONFIG_GRKERNSEC_EXECVE
53856 + grsec_enable_execve = 1;
53858 +#ifdef CONFIG_GRKERNSEC_EXECLOG
53859 + grsec_enable_execlog = 1;
53861 +#ifdef CONFIG_GRKERNSEC_SIGNAL
53862 + grsec_enable_signal = 1;
53864 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
53865 + grsec_enable_forkfail = 1;
53867 +#ifdef CONFIG_GRKERNSEC_TIME
53868 + grsec_enable_time = 1;
53870 +#ifdef CONFIG_GRKERNSEC_RESLOG
53871 + grsec_resource_logging = 1;
53873 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
53874 + grsec_enable_chroot_findtask = 1;
53876 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
53877 + grsec_enable_chroot_unix = 1;
53879 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
53880 + grsec_enable_chroot_mount = 1;
53882 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
53883 + grsec_enable_chroot_fchdir = 1;
53885 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
53886 + grsec_enable_chroot_shmat = 1;
53888 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
53889 + grsec_enable_audit_ptrace = 1;
53891 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
53892 + grsec_enable_chroot_double = 1;
53894 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
53895 + grsec_enable_chroot_pivot = 1;
53897 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
53898 + grsec_enable_chroot_chdir = 1;
53900 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
53901 + grsec_enable_chroot_chmod = 1;
53903 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
53904 + grsec_enable_chroot_mknod = 1;
53906 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
53907 + grsec_enable_chroot_nice = 1;
53909 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
53910 + grsec_enable_chroot_execlog = 1;
53912 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
53913 + grsec_enable_chroot_caps = 1;
53915 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
53916 + grsec_enable_chroot_sysctl = 1;
53918 +#ifdef CONFIG_GRKERNSEC_TPE
53919 + grsec_enable_tpe = 1;
53920 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
53921 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
53922 + grsec_enable_tpe_all = 1;
53925 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
53926 + grsec_enable_socket_all = 1;
53927 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
53929 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
53930 + grsec_enable_socket_client = 1;
53931 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
53933 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
53934 + grsec_enable_socket_server = 1;
53935 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
53941 diff -urNp linux-2.6.32.43/grsecurity/grsec_link.c linux-2.6.32.43/grsecurity/grsec_link.c
53942 --- linux-2.6.32.43/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
53943 +++ linux-2.6.32.43/grsecurity/grsec_link.c 2011-04-17 15:56:46.000000000 -0400
53945 +#include <linux/kernel.h>
53946 +#include <linux/sched.h>
53947 +#include <linux/fs.h>
53948 +#include <linux/file.h>
53949 +#include <linux/grinternal.h>
53952 +gr_handle_follow_link(const struct inode *parent,
53953 + const struct inode *inode,
53954 + const struct dentry *dentry, const struct vfsmount *mnt)
53956 +#ifdef CONFIG_GRKERNSEC_LINK
53957 + const struct cred *cred = current_cred();
53959 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
53960 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
53961 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
53962 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
53970 +gr_handle_hardlink(const struct dentry *dentry,
53971 + const struct vfsmount *mnt,
53972 + struct inode *inode, const int mode, const char *to)
53974 +#ifdef CONFIG_GRKERNSEC_LINK
53975 + const struct cred *cred = current_cred();
53977 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
53978 + (!S_ISREG(mode) || (mode & S_ISUID) ||
53979 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
53980 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
53981 + !capable(CAP_FOWNER) && cred->uid) {
53982 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
53988 diff -urNp linux-2.6.32.43/grsecurity/grsec_log.c linux-2.6.32.43/grsecurity/grsec_log.c
53989 --- linux-2.6.32.43/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
53990 +++ linux-2.6.32.43/grsecurity/grsec_log.c 2011-05-10 21:58:49.000000000 -0400
53992 +#include <linux/kernel.h>
53993 +#include <linux/sched.h>
53994 +#include <linux/file.h>
53995 +#include <linux/tty.h>
53996 +#include <linux/fs.h>
53997 +#include <linux/grinternal.h>
53999 +#ifdef CONFIG_TREE_PREEMPT_RCU
54000 +#define DISABLE_PREEMPT() preempt_disable()
54001 +#define ENABLE_PREEMPT() preempt_enable()
54003 +#define DISABLE_PREEMPT()
54004 +#define ENABLE_PREEMPT()
54007 +#define BEGIN_LOCKS(x) \
54008 + DISABLE_PREEMPT(); \
54009 + rcu_read_lock(); \
54010 + read_lock(&tasklist_lock); \
54011 + read_lock(&grsec_exec_file_lock); \
54012 + if (x != GR_DO_AUDIT) \
54013 + spin_lock(&grsec_alert_lock); \
54015 + spin_lock(&grsec_audit_lock)
54017 +#define END_LOCKS(x) \
54018 + if (x != GR_DO_AUDIT) \
54019 + spin_unlock(&grsec_alert_lock); \
54021 + spin_unlock(&grsec_audit_lock); \
54022 + read_unlock(&grsec_exec_file_lock); \
54023 + read_unlock(&tasklist_lock); \
54024 + rcu_read_unlock(); \
54025 + ENABLE_PREEMPT(); \
54026 + if (x == GR_DONT_AUDIT) \
54027 + gr_handle_alertkill(current)
54034 +extern char *gr_alert_log_fmt;
54035 +extern char *gr_audit_log_fmt;
54036 +extern char *gr_alert_log_buf;
54037 +extern char *gr_audit_log_buf;
54039 +static int gr_log_start(int audit)
54041 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
54042 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
54043 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54045 + if (audit == GR_DO_AUDIT)
54048 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
54049 + grsec_alert_wtime = jiffies;
54050 + grsec_alert_fyet = 0;
54051 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
54052 + grsec_alert_fyet++;
54053 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
54054 + grsec_alert_wtime = jiffies;
54055 + grsec_alert_fyet++;
54056 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
54058 + } else return FLOODING;
54061 + memset(buf, 0, PAGE_SIZE);
54062 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
54063 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
54064 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54065 + } else if (current->signal->curr_ip) {
54066 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
54067 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
54068 + } else if (gr_acl_is_enabled()) {
54069 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
54070 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
54072 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
54073 + strcpy(buf, fmt);
54076 + return NO_FLOODING;
54079 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54080 + __attribute__ ((format (printf, 2, 0)));
54082 +static void gr_log_middle(int audit, const char *msg, va_list ap)
54084 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54085 + unsigned int len = strlen(buf);
54087 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54092 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54093 + __attribute__ ((format (printf, 2, 3)));
54095 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
54097 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54098 + unsigned int len = strlen(buf);
54101 + va_start(ap, msg);
54102 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
54108 +static void gr_log_end(int audit)
54110 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
54111 + unsigned int len = strlen(buf);
54113 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
54114 + printk("%s\n", buf);
54119 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
54122 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
54123 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
54124 + void *voidptr = NULL;
54125 + int num1 = 0, num2 = 0;
54126 + unsigned long ulong1 = 0, ulong2 = 0;
54127 + struct dentry *dentry = NULL;
54128 + struct vfsmount *mnt = NULL;
54129 + struct file *file = NULL;
54130 + struct task_struct *task = NULL;
54131 + const struct cred *cred, *pcred;
54134 + BEGIN_LOCKS(audit);
54135 + logtype = gr_log_start(audit);
54136 + if (logtype == FLOODING) {
54137 + END_LOCKS(audit);
54140 + va_start(ap, argtypes);
54141 + switch (argtypes) {
54142 + case GR_TTYSNIFF:
54143 + task = va_arg(ap, struct task_struct *);
54144 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
54146 + case GR_SYSCTL_HIDDEN:
54147 + str1 = va_arg(ap, char *);
54148 + gr_log_middle_varargs(audit, msg, result, str1);
54151 + dentry = va_arg(ap, struct dentry *);
54152 + mnt = va_arg(ap, struct vfsmount *);
54153 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
54155 + case GR_RBAC_STR:
54156 + dentry = va_arg(ap, struct dentry *);
54157 + mnt = va_arg(ap, struct vfsmount *);
54158 + str1 = va_arg(ap, char *);
54159 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
54161 + case GR_STR_RBAC:
54162 + str1 = va_arg(ap, char *);
54163 + dentry = va_arg(ap, struct dentry *);
54164 + mnt = va_arg(ap, struct vfsmount *);
54165 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
54167 + case GR_RBAC_MODE2:
54168 + dentry = va_arg(ap, struct dentry *);
54169 + mnt = va_arg(ap, struct vfsmount *);
54170 + str1 = va_arg(ap, char *);
54171 + str2 = va_arg(ap, char *);
54172 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
54174 + case GR_RBAC_MODE3:
54175 + dentry = va_arg(ap, struct dentry *);
54176 + mnt = va_arg(ap, struct vfsmount *);
54177 + str1 = va_arg(ap, char *);
54178 + str2 = va_arg(ap, char *);
54179 + str3 = va_arg(ap, char *);
54180 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
54182 + case GR_FILENAME:
54183 + dentry = va_arg(ap, struct dentry *);
54184 + mnt = va_arg(ap, struct vfsmount *);
54185 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
54187 + case GR_STR_FILENAME:
54188 + str1 = va_arg(ap, char *);
54189 + dentry = va_arg(ap, struct dentry *);
54190 + mnt = va_arg(ap, struct vfsmount *);
54191 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
54193 + case GR_FILENAME_STR:
54194 + dentry = va_arg(ap, struct dentry *);
54195 + mnt = va_arg(ap, struct vfsmount *);
54196 + str1 = va_arg(ap, char *);
54197 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
54199 + case GR_FILENAME_TWO_INT:
54200 + dentry = va_arg(ap, struct dentry *);
54201 + mnt = va_arg(ap, struct vfsmount *);
54202 + num1 = va_arg(ap, int);
54203 + num2 = va_arg(ap, int);
54204 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
54206 + case GR_FILENAME_TWO_INT_STR:
54207 + dentry = va_arg(ap, struct dentry *);
54208 + mnt = va_arg(ap, struct vfsmount *);
54209 + num1 = va_arg(ap, int);
54210 + num2 = va_arg(ap, int);
54211 + str1 = va_arg(ap, char *);
54212 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
54215 + file = va_arg(ap, struct file *);
54216 + ulong1 = va_arg(ap, unsigned long);
54217 + ulong2 = va_arg(ap, unsigned long);
54218 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
54221 + task = va_arg(ap, struct task_struct *);
54222 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
54224 + case GR_RESOURCE:
54225 + task = va_arg(ap, struct task_struct *);
54226 + cred = __task_cred(task);
54227 + pcred = __task_cred(task->real_parent);
54228 + ulong1 = va_arg(ap, unsigned long);
54229 + str1 = va_arg(ap, char *);
54230 + ulong2 = va_arg(ap, unsigned long);
54231 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54234 + task = va_arg(ap, struct task_struct *);
54235 + cred = __task_cred(task);
54236 + pcred = __task_cred(task->real_parent);
54237 + str1 = va_arg(ap, char *);
54238 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54241 + str1 = va_arg(ap, char *);
54242 + voidptr = va_arg(ap, void *);
54243 + gr_log_middle_varargs(audit, msg, str1, voidptr);
54246 + task = va_arg(ap, struct task_struct *);
54247 + cred = __task_cred(task);
54248 + pcred = __task_cred(task->real_parent);
54249 + num1 = va_arg(ap, int);
54250 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54253 + task = va_arg(ap, struct task_struct *);
54254 + cred = __task_cred(task);
54255 + pcred = __task_cred(task->real_parent);
54256 + ulong1 = va_arg(ap, unsigned long);
54257 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
54260 + task = va_arg(ap, struct task_struct *);
54261 + cred = __task_cred(task);
54262 + pcred = __task_cred(task->real_parent);
54263 + ulong1 = va_arg(ap, unsigned long);
54264 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
54267 + file = va_arg(ap, struct file *);
54268 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
54272 + unsigned int wday, cday;
54276 + char cur_tty[64] = { 0 };
54277 + char parent_tty[64] = { 0 };
54279 + task = va_arg(ap, struct task_struct *);
54280 + wday = va_arg(ap, unsigned int);
54281 + cday = va_arg(ap, unsigned int);
54282 + whr = va_arg(ap, int);
54283 + chr = va_arg(ap, int);
54284 + wmin = va_arg(ap, int);
54285 + cmin = va_arg(ap, int);
54286 + wsec = va_arg(ap, int);
54287 + csec = va_arg(ap, int);
54288 + ulong1 = va_arg(ap, unsigned long);
54289 + cred = __task_cred(task);
54290 + pcred = __task_cred(task->real_parent);
54292 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
54296 + gr_log_middle(audit, msg, ap);
54299 + gr_log_end(audit);
54300 + END_LOCKS(audit);
54302 diff -urNp linux-2.6.32.43/grsecurity/grsec_mem.c linux-2.6.32.43/grsecurity/grsec_mem.c
54303 --- linux-2.6.32.43/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
54304 +++ linux-2.6.32.43/grsecurity/grsec_mem.c 2011-04-17 15:56:46.000000000 -0400
54306 +#include <linux/kernel.h>
54307 +#include <linux/sched.h>
54308 +#include <linux/mm.h>
54309 +#include <linux/mman.h>
54310 +#include <linux/grinternal.h>
54313 +gr_handle_ioperm(void)
54315 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
54320 +gr_handle_iopl(void)
54322 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
54327 +gr_handle_mem_readwrite(u64 from, u64 to)
54329 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
54334 +gr_handle_vm86(void)
54336 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
54339 diff -urNp linux-2.6.32.43/grsecurity/grsec_mount.c linux-2.6.32.43/grsecurity/grsec_mount.c
54340 --- linux-2.6.32.43/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
54341 +++ linux-2.6.32.43/grsecurity/grsec_mount.c 2011-06-20 19:47:03.000000000 -0400
54343 +#include <linux/kernel.h>
54344 +#include <linux/sched.h>
54345 +#include <linux/mount.h>
54346 +#include <linux/grsecurity.h>
54347 +#include <linux/grinternal.h>
54350 +gr_log_remount(const char *devname, const int retval)
54352 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54353 + if (grsec_enable_mount && (retval >= 0))
54354 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
54360 +gr_log_unmount(const char *devname, const int retval)
54362 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54363 + if (grsec_enable_mount && (retval >= 0))
54364 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
54370 +gr_log_mount(const char *from, const char *to, const int retval)
54372 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
54373 + if (grsec_enable_mount && (retval >= 0))
54374 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
54380 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
54382 +#ifdef CONFIG_GRKERNSEC_ROFS
54383 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
54384 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
54393 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
54395 +#ifdef CONFIG_GRKERNSEC_ROFS
54396 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
54397 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
54398 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
54405 diff -urNp linux-2.6.32.43/grsecurity/grsec_pax.c linux-2.6.32.43/grsecurity/grsec_pax.c
54406 --- linux-2.6.32.43/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
54407 +++ linux-2.6.32.43/grsecurity/grsec_pax.c 2011-04-17 15:56:46.000000000 -0400
54409 +#include <linux/kernel.h>
54410 +#include <linux/sched.h>
54411 +#include <linux/mm.h>
54412 +#include <linux/file.h>
54413 +#include <linux/grinternal.h>
54414 +#include <linux/grsecurity.h>
54417 +gr_log_textrel(struct vm_area_struct * vma)
54419 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
54420 + if (grsec_enable_audit_textrel)
54421 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
54427 +gr_log_rwxmmap(struct file *file)
54429 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54430 + if (grsec_enable_log_rwxmaps)
54431 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
54437 +gr_log_rwxmprotect(struct file *file)
54439 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
54440 + if (grsec_enable_log_rwxmaps)
54441 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
54445 diff -urNp linux-2.6.32.43/grsecurity/grsec_ptrace.c linux-2.6.32.43/grsecurity/grsec_ptrace.c
54446 --- linux-2.6.32.43/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
54447 +++ linux-2.6.32.43/grsecurity/grsec_ptrace.c 2011-04-17 15:56:46.000000000 -0400
54449 +#include <linux/kernel.h>
54450 +#include <linux/sched.h>
54451 +#include <linux/grinternal.h>
54452 +#include <linux/grsecurity.h>
54455 +gr_audit_ptrace(struct task_struct *task)
54457 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
54458 + if (grsec_enable_audit_ptrace)
54459 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
54463 diff -urNp linux-2.6.32.43/grsecurity/grsec_sig.c linux-2.6.32.43/grsecurity/grsec_sig.c
54464 --- linux-2.6.32.43/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
54465 +++ linux-2.6.32.43/grsecurity/grsec_sig.c 2011-06-29 19:40:31.000000000 -0400
54467 +#include <linux/kernel.h>
54468 +#include <linux/sched.h>
54469 +#include <linux/delay.h>
54470 +#include <linux/grsecurity.h>
54471 +#include <linux/grinternal.h>
54472 +#include <linux/hardirq.h>
54474 +char *signames[] = {
54475 + [SIGSEGV] = "Segmentation fault",
54476 + [SIGILL] = "Illegal instruction",
54477 + [SIGABRT] = "Abort",
54478 + [SIGBUS] = "Invalid alignment/Bus error"
54482 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
54484 +#ifdef CONFIG_GRKERNSEC_SIGNAL
54485 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
54486 + (sig == SIGABRT) || (sig == SIGBUS))) {
54487 + if (t->pid == current->pid) {
54488 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
54490 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
54498 +gr_handle_signal(const struct task_struct *p, const int sig)
54500 +#ifdef CONFIG_GRKERNSEC
54501 + if (current->pid > 1 && gr_check_protected_task(p)) {
54502 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
54504 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
54511 +#ifdef CONFIG_GRKERNSEC
54512 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
54514 +int gr_fake_force_sig(int sig, struct task_struct *t)
54516 + unsigned long int flags;
54517 + int ret, blocked, ignored;
54518 + struct k_sigaction *action;
54520 + spin_lock_irqsave(&t->sighand->siglock, flags);
54521 + action = &t->sighand->action[sig-1];
54522 + ignored = action->sa.sa_handler == SIG_IGN;
54523 + blocked = sigismember(&t->blocked, sig);
54524 + if (blocked || ignored) {
54525 + action->sa.sa_handler = SIG_DFL;
54527 + sigdelset(&t->blocked, sig);
54528 + recalc_sigpending_and_wake(t);
54531 + if (action->sa.sa_handler == SIG_DFL)
54532 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
54533 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
54535 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
54541 +#ifdef CONFIG_GRKERNSEC_BRUTE
54542 +#define GR_USER_BAN_TIME (15 * 60)
54544 +static int __get_dumpable(unsigned long mm_flags)
54548 + ret = mm_flags & MMF_DUMPABLE_MASK;
54549 + return (ret >= 2) ? 2 : ret;
54553 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
54555 +#ifdef CONFIG_GRKERNSEC_BRUTE
54558 + if (!grsec_enable_brute)
54562 + read_lock(&tasklist_lock);
54563 + read_lock(&grsec_exec_file_lock);
54564 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
54565 + p->real_parent->brute = 1;
54567 + const struct cred *cred = __task_cred(p), *cred2;
54568 + struct task_struct *tsk, *tsk2;
54570 + if (!__get_dumpable(mm_flags) && cred->uid) {
54571 + struct user_struct *user;
54575 + /* this is put upon execution past expiration */
54576 + user = find_user(uid);
54577 + if (user == NULL)
54579 + user->banned = 1;
54580 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
54581 + if (user->ban_expires == ~0UL)
54582 + user->ban_expires--;
54584 + do_each_thread(tsk2, tsk) {
54585 + cred2 = __task_cred(tsk);
54586 + if (tsk != p && cred2->uid == uid)
54587 + gr_fake_force_sig(SIGKILL, tsk);
54588 + } while_each_thread(tsk2, tsk);
54592 + read_unlock(&grsec_exec_file_lock);
54593 + read_unlock(&tasklist_lock);
54594 + rcu_read_unlock();
54597 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
54602 +void gr_handle_brute_check(void)
54604 +#ifdef CONFIG_GRKERNSEC_BRUTE
54605 + if (current->brute)
54606 + msleep(30 * 1000);
54611 +void gr_handle_kernel_exploit(void)
54613 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
54614 + const struct cred *cred;
54615 + struct task_struct *tsk, *tsk2;
54616 + struct user_struct *user;
54619 + if (in_irq() || in_serving_softirq() || in_nmi())
54620 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
54622 + uid = current_uid();
54625 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
54627 + /* kill all the processes of this user, hold a reference
54628 + to their creds struct, and prevent them from creating
54629 + another process until system reset
54631 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
54632 + /* we intentionally leak this ref */
54633 + user = get_uid(current->cred->user);
54635 + user->banned = 1;
54636 + user->ban_expires = ~0UL;
54639 + read_lock(&tasklist_lock);
54640 + do_each_thread(tsk2, tsk) {
54641 + cred = __task_cred(tsk);
54642 + if (cred->uid == uid)
54643 + gr_fake_force_sig(SIGKILL, tsk);
54644 + } while_each_thread(tsk2, tsk);
54645 + read_unlock(&tasklist_lock);
54650 +int __gr_process_user_ban(struct user_struct *user)
54652 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54653 + if (unlikely(user->banned)) {
54654 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
54655 + user->banned = 0;
54656 + user->ban_expires = 0;
54665 +int gr_process_user_ban(void)
54667 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54668 + return __gr_process_user_ban(current->cred->user);
54672 diff -urNp linux-2.6.32.43/grsecurity/grsec_sock.c linux-2.6.32.43/grsecurity/grsec_sock.c
54673 --- linux-2.6.32.43/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
54674 +++ linux-2.6.32.43/grsecurity/grsec_sock.c 2011-04-17 15:56:46.000000000 -0400
54676 +#include <linux/kernel.h>
54677 +#include <linux/module.h>
54678 +#include <linux/sched.h>
54679 +#include <linux/file.h>
54680 +#include <linux/net.h>
54681 +#include <linux/in.h>
54682 +#include <linux/ip.h>
54683 +#include <net/sock.h>
54684 +#include <net/inet_sock.h>
54685 +#include <linux/grsecurity.h>
54686 +#include <linux/grinternal.h>
54687 +#include <linux/gracl.h>
54689 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
54690 +EXPORT_SYMBOL(gr_cap_rtnetlink);
54692 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
54693 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
54695 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
54696 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
54698 +#ifdef CONFIG_UNIX_MODULE
54699 +EXPORT_SYMBOL(gr_acl_handle_unix);
54700 +EXPORT_SYMBOL(gr_acl_handle_mknod);
54701 +EXPORT_SYMBOL(gr_handle_chroot_unix);
54702 +EXPORT_SYMBOL(gr_handle_create);
54705 +#ifdef CONFIG_GRKERNSEC
54706 +#define gr_conn_table_size 32749
54707 +struct conn_table_entry {
54708 + struct conn_table_entry *next;
54709 + struct signal_struct *sig;
54712 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
54713 +DEFINE_SPINLOCK(gr_conn_table_lock);
54715 +extern const char * gr_socktype_to_name(unsigned char type);
54716 +extern const char * gr_proto_to_name(unsigned char proto);
54717 +extern const char * gr_sockfamily_to_name(unsigned char family);
54719 +static __inline__ int
54720 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
54722 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
54725 +static __inline__ int
54726 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
54727 + __u16 sport, __u16 dport)
54729 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
54730 + sig->gr_sport == sport && sig->gr_dport == dport))
54736 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
54738 + struct conn_table_entry **match;
54739 + unsigned int index;
54741 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
54742 + sig->gr_sport, sig->gr_dport,
54743 + gr_conn_table_size);
54745 + newent->sig = sig;
54747 + match = &gr_conn_table[index];
54748 + newent->next = *match;
54754 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
54756 + struct conn_table_entry *match, *last = NULL;
54757 + unsigned int index;
54759 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
54760 + sig->gr_sport, sig->gr_dport,
54761 + gr_conn_table_size);
54763 + match = gr_conn_table[index];
54764 + while (match && !conn_match(match->sig,
54765 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
54766 + sig->gr_dport)) {
54768 + match = match->next;
54773 + last->next = match->next;
54775 + gr_conn_table[index] = NULL;
54782 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
54783 + __u16 sport, __u16 dport)
54785 + struct conn_table_entry *match;
54786 + unsigned int index;
54788 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
54790 + match = gr_conn_table[index];
54791 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
54792 + match = match->next;
54795 + return match->sig;
54802 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
54804 +#ifdef CONFIG_GRKERNSEC
54805 + struct signal_struct *sig = task->signal;
54806 + struct conn_table_entry *newent;
54808 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
54809 + if (newent == NULL)
54811 + /* no bh lock needed since we are called with bh disabled */
54812 + spin_lock(&gr_conn_table_lock);
54813 + gr_del_task_from_ip_table_nolock(sig);
54814 + sig->gr_saddr = inet->rcv_saddr;
54815 + sig->gr_daddr = inet->daddr;
54816 + sig->gr_sport = inet->sport;
54817 + sig->gr_dport = inet->dport;
54818 + gr_add_to_task_ip_table_nolock(sig, newent);
54819 + spin_unlock(&gr_conn_table_lock);
54824 +void gr_del_task_from_ip_table(struct task_struct *task)
54826 +#ifdef CONFIG_GRKERNSEC
54827 + spin_lock_bh(&gr_conn_table_lock);
54828 + gr_del_task_from_ip_table_nolock(task->signal);
54829 + spin_unlock_bh(&gr_conn_table_lock);
54835 +gr_attach_curr_ip(const struct sock *sk)
54837 +#ifdef CONFIG_GRKERNSEC
54838 + struct signal_struct *p, *set;
54839 + const struct inet_sock *inet = inet_sk(sk);
54841 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
54844 + set = current->signal;
54846 + spin_lock_bh(&gr_conn_table_lock);
54847 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
54848 + inet->dport, inet->sport);
54849 + if (unlikely(p != NULL)) {
54850 + set->curr_ip = p->curr_ip;
54851 + set->used_accept = 1;
54852 + gr_del_task_from_ip_table_nolock(p);
54853 + spin_unlock_bh(&gr_conn_table_lock);
54856 + spin_unlock_bh(&gr_conn_table_lock);
54858 + set->curr_ip = inet->daddr;
54859 + set->used_accept = 1;
54865 +gr_handle_sock_all(const int family, const int type, const int protocol)
54867 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
54868 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
54869 + (family != AF_UNIX)) {
54870 + if (family == AF_INET)
54871 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
54873 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
54881 +gr_handle_sock_server(const struct sockaddr *sck)
54883 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
54884 + if (grsec_enable_socket_server &&
54885 + in_group_p(grsec_socket_server_gid) &&
54886 + sck && (sck->sa_family != AF_UNIX) &&
54887 + (sck->sa_family != AF_LOCAL)) {
54888 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
54896 +gr_handle_sock_server_other(const struct sock *sck)
54898 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
54899 + if (grsec_enable_socket_server &&
54900 + in_group_p(grsec_socket_server_gid) &&
54901 + sck && (sck->sk_family != AF_UNIX) &&
54902 + (sck->sk_family != AF_LOCAL)) {
54903 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
54911 +gr_handle_sock_client(const struct sockaddr *sck)
54913 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
54914 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
54915 + sck && (sck->sa_family != AF_UNIX) &&
54916 + (sck->sa_family != AF_LOCAL)) {
54917 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
54925 +gr_cap_rtnetlink(struct sock *sock)
54927 +#ifdef CONFIG_GRKERNSEC
54928 + if (!gr_acl_is_enabled())
54929 + return current_cap();
54930 + else if (sock->sk_protocol == NETLINK_ISCSI &&
54931 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
54932 + gr_is_capable(CAP_SYS_ADMIN))
54933 + return current_cap();
54934 + else if (sock->sk_protocol == NETLINK_AUDIT &&
54935 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
54936 + gr_is_capable(CAP_AUDIT_WRITE) &&
54937 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
54938 + gr_is_capable(CAP_AUDIT_CONTROL))
54939 + return current_cap();
54940 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
54941 + ((sock->sk_protocol == NETLINK_ROUTE) ?
54942 + gr_is_capable_nolog(CAP_NET_ADMIN) :
54943 + gr_is_capable(CAP_NET_ADMIN)))
54944 + return current_cap();
54946 + return __cap_empty_set;
54948 + return current_cap();
54951 diff -urNp linux-2.6.32.43/grsecurity/grsec_sysctl.c linux-2.6.32.43/grsecurity/grsec_sysctl.c
54952 --- linux-2.6.32.43/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
54953 +++ linux-2.6.32.43/grsecurity/grsec_sysctl.c 2011-06-29 19:37:19.000000000 -0400
54955 +#include <linux/kernel.h>
54956 +#include <linux/sched.h>
54957 +#include <linux/sysctl.h>
54958 +#include <linux/grsecurity.h>
54959 +#include <linux/grinternal.h>
54962 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
54964 +#ifdef CONFIG_GRKERNSEC_SYSCTL
54965 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
54966 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
54973 +#ifdef CONFIG_GRKERNSEC_ROFS
54974 +static int __maybe_unused one = 1;
54977 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
54978 +ctl_table grsecurity_table[] = {
54979 +#ifdef CONFIG_GRKERNSEC_SYSCTL
54980 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
54981 +#ifdef CONFIG_GRKERNSEC_IO
54983 + .ctl_name = CTL_UNNUMBERED,
54984 + .procname = "disable_priv_io",
54985 + .data = &grsec_disable_privio,
54986 + .maxlen = sizeof(int),
54988 + .proc_handler = &proc_dointvec,
54992 +#ifdef CONFIG_GRKERNSEC_LINK
54994 + .ctl_name = CTL_UNNUMBERED,
54995 + .procname = "linking_restrictions",
54996 + .data = &grsec_enable_link,
54997 + .maxlen = sizeof(int),
54999 + .proc_handler = &proc_dointvec,
55002 +#ifdef CONFIG_GRKERNSEC_BRUTE
55004 + .ctl_name = CTL_UNNUMBERED,
55005 + .procname = "deter_bruteforce",
55006 + .data = &grsec_enable_brute,
55007 + .maxlen = sizeof(int),
55009 + .proc_handler = &proc_dointvec,
55012 +#ifdef CONFIG_GRKERNSEC_FIFO
55014 + .ctl_name = CTL_UNNUMBERED,
55015 + .procname = "fifo_restrictions",
55016 + .data = &grsec_enable_fifo,
55017 + .maxlen = sizeof(int),
55019 + .proc_handler = &proc_dointvec,
55022 +#ifdef CONFIG_GRKERNSEC_EXECVE
55024 + .ctl_name = CTL_UNNUMBERED,
55025 + .procname = "execve_limiting",
55026 + .data = &grsec_enable_execve,
55027 + .maxlen = sizeof(int),
55029 + .proc_handler = &proc_dointvec,
55032 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55034 + .ctl_name = CTL_UNNUMBERED,
55035 + .procname = "ip_blackhole",
55036 + .data = &grsec_enable_blackhole,
55037 + .maxlen = sizeof(int),
55039 + .proc_handler = &proc_dointvec,
55042 + .ctl_name = CTL_UNNUMBERED,
55043 + .procname = "lastack_retries",
55044 + .data = &grsec_lastack_retries,
55045 + .maxlen = sizeof(int),
55047 + .proc_handler = &proc_dointvec,
55050 +#ifdef CONFIG_GRKERNSEC_EXECLOG
55052 + .ctl_name = CTL_UNNUMBERED,
55053 + .procname = "exec_logging",
55054 + .data = &grsec_enable_execlog,
55055 + .maxlen = sizeof(int),
55057 + .proc_handler = &proc_dointvec,
55060 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
55062 + .ctl_name = CTL_UNNUMBERED,
55063 + .procname = "rwxmap_logging",
55064 + .data = &grsec_enable_log_rwxmaps,
55065 + .maxlen = sizeof(int),
55067 + .proc_handler = &proc_dointvec,
55070 +#ifdef CONFIG_GRKERNSEC_SIGNAL
55072 + .ctl_name = CTL_UNNUMBERED,
55073 + .procname = "signal_logging",
55074 + .data = &grsec_enable_signal,
55075 + .maxlen = sizeof(int),
55077 + .proc_handler = &proc_dointvec,
55080 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
55082 + .ctl_name = CTL_UNNUMBERED,
55083 + .procname = "forkfail_logging",
55084 + .data = &grsec_enable_forkfail,
55085 + .maxlen = sizeof(int),
55087 + .proc_handler = &proc_dointvec,
55090 +#ifdef CONFIG_GRKERNSEC_TIME
55092 + .ctl_name = CTL_UNNUMBERED,
55093 + .procname = "timechange_logging",
55094 + .data = &grsec_enable_time,
55095 + .maxlen = sizeof(int),
55097 + .proc_handler = &proc_dointvec,
55100 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55102 + .ctl_name = CTL_UNNUMBERED,
55103 + .procname = "chroot_deny_shmat",
55104 + .data = &grsec_enable_chroot_shmat,
55105 + .maxlen = sizeof(int),
55107 + .proc_handler = &proc_dointvec,
55110 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55112 + .ctl_name = CTL_UNNUMBERED,
55113 + .procname = "chroot_deny_unix",
55114 + .data = &grsec_enable_chroot_unix,
55115 + .maxlen = sizeof(int),
55117 + .proc_handler = &proc_dointvec,
55120 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55122 + .ctl_name = CTL_UNNUMBERED,
55123 + .procname = "chroot_deny_mount",
55124 + .data = &grsec_enable_chroot_mount,
55125 + .maxlen = sizeof(int),
55127 + .proc_handler = &proc_dointvec,
55130 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55132 + .ctl_name = CTL_UNNUMBERED,
55133 + .procname = "chroot_deny_fchdir",
55134 + .data = &grsec_enable_chroot_fchdir,
55135 + .maxlen = sizeof(int),
55137 + .proc_handler = &proc_dointvec,
55140 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55142 + .ctl_name = CTL_UNNUMBERED,
55143 + .procname = "chroot_deny_chroot",
55144 + .data = &grsec_enable_chroot_double,
55145 + .maxlen = sizeof(int),
55147 + .proc_handler = &proc_dointvec,
55150 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55152 + .ctl_name = CTL_UNNUMBERED,
55153 + .procname = "chroot_deny_pivot",
55154 + .data = &grsec_enable_chroot_pivot,
55155 + .maxlen = sizeof(int),
55157 + .proc_handler = &proc_dointvec,
55160 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55162 + .ctl_name = CTL_UNNUMBERED,
55163 + .procname = "chroot_enforce_chdir",
55164 + .data = &grsec_enable_chroot_chdir,
55165 + .maxlen = sizeof(int),
55167 + .proc_handler = &proc_dointvec,
55170 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55172 + .ctl_name = CTL_UNNUMBERED,
55173 + .procname = "chroot_deny_chmod",
55174 + .data = &grsec_enable_chroot_chmod,
55175 + .maxlen = sizeof(int),
55177 + .proc_handler = &proc_dointvec,
55180 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55182 + .ctl_name = CTL_UNNUMBERED,
55183 + .procname = "chroot_deny_mknod",
55184 + .data = &grsec_enable_chroot_mknod,
55185 + .maxlen = sizeof(int),
55187 + .proc_handler = &proc_dointvec,
55190 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55192 + .ctl_name = CTL_UNNUMBERED,
55193 + .procname = "chroot_restrict_nice",
55194 + .data = &grsec_enable_chroot_nice,
55195 + .maxlen = sizeof(int),
55197 + .proc_handler = &proc_dointvec,
55200 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55202 + .ctl_name = CTL_UNNUMBERED,
55203 + .procname = "chroot_execlog",
55204 + .data = &grsec_enable_chroot_execlog,
55205 + .maxlen = sizeof(int),
55207 + .proc_handler = &proc_dointvec,
55210 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55212 + .ctl_name = CTL_UNNUMBERED,
55213 + .procname = "chroot_caps",
55214 + .data = &grsec_enable_chroot_caps,
55215 + .maxlen = sizeof(int),
55217 + .proc_handler = &proc_dointvec,
55220 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55222 + .ctl_name = CTL_UNNUMBERED,
55223 + .procname = "chroot_deny_sysctl",
55224 + .data = &grsec_enable_chroot_sysctl,
55225 + .maxlen = sizeof(int),
55227 + .proc_handler = &proc_dointvec,
55230 +#ifdef CONFIG_GRKERNSEC_TPE
55232 + .ctl_name = CTL_UNNUMBERED,
55233 + .procname = "tpe",
55234 + .data = &grsec_enable_tpe,
55235 + .maxlen = sizeof(int),
55237 + .proc_handler = &proc_dointvec,
55240 + .ctl_name = CTL_UNNUMBERED,
55241 + .procname = "tpe_gid",
55242 + .data = &grsec_tpe_gid,
55243 + .maxlen = sizeof(int),
55245 + .proc_handler = &proc_dointvec,
55248 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55250 + .ctl_name = CTL_UNNUMBERED,
55251 + .procname = "tpe_invert",
55252 + .data = &grsec_enable_tpe_invert,
55253 + .maxlen = sizeof(int),
55255 + .proc_handler = &proc_dointvec,
55258 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55260 + .ctl_name = CTL_UNNUMBERED,
55261 + .procname = "tpe_restrict_all",
55262 + .data = &grsec_enable_tpe_all,
55263 + .maxlen = sizeof(int),
55265 + .proc_handler = &proc_dointvec,
55268 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
55270 + .ctl_name = CTL_UNNUMBERED,
55271 + .procname = "socket_all",
55272 + .data = &grsec_enable_socket_all,
55273 + .maxlen = sizeof(int),
55275 + .proc_handler = &proc_dointvec,
55278 + .ctl_name = CTL_UNNUMBERED,
55279 + .procname = "socket_all_gid",
55280 + .data = &grsec_socket_all_gid,
55281 + .maxlen = sizeof(int),
55283 + .proc_handler = &proc_dointvec,
55286 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
55288 + .ctl_name = CTL_UNNUMBERED,
55289 + .procname = "socket_client",
55290 + .data = &grsec_enable_socket_client,
55291 + .maxlen = sizeof(int),
55293 + .proc_handler = &proc_dointvec,
55296 + .ctl_name = CTL_UNNUMBERED,
55297 + .procname = "socket_client_gid",
55298 + .data = &grsec_socket_client_gid,
55299 + .maxlen = sizeof(int),
55301 + .proc_handler = &proc_dointvec,
55304 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
55306 + .ctl_name = CTL_UNNUMBERED,
55307 + .procname = "socket_server",
55308 + .data = &grsec_enable_socket_server,
55309 + .maxlen = sizeof(int),
55311 + .proc_handler = &proc_dointvec,
55314 + .ctl_name = CTL_UNNUMBERED,
55315 + .procname = "socket_server_gid",
55316 + .data = &grsec_socket_server_gid,
55317 + .maxlen = sizeof(int),
55319 + .proc_handler = &proc_dointvec,
55322 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
55324 + .ctl_name = CTL_UNNUMBERED,
55325 + .procname = "audit_group",
55326 + .data = &grsec_enable_group,
55327 + .maxlen = sizeof(int),
55329 + .proc_handler = &proc_dointvec,
55332 + .ctl_name = CTL_UNNUMBERED,
55333 + .procname = "audit_gid",
55334 + .data = &grsec_audit_gid,
55335 + .maxlen = sizeof(int),
55337 + .proc_handler = &proc_dointvec,
55340 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55342 + .ctl_name = CTL_UNNUMBERED,
55343 + .procname = "audit_chdir",
55344 + .data = &grsec_enable_chdir,
55345 + .maxlen = sizeof(int),
55347 + .proc_handler = &proc_dointvec,
55350 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
55352 + .ctl_name = CTL_UNNUMBERED,
55353 + .procname = "audit_mount",
55354 + .data = &grsec_enable_mount,
55355 + .maxlen = sizeof(int),
55357 + .proc_handler = &proc_dointvec,
55360 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
55362 + .ctl_name = CTL_UNNUMBERED,
55363 + .procname = "audit_textrel",
55364 + .data = &grsec_enable_audit_textrel,
55365 + .maxlen = sizeof(int),
55367 + .proc_handler = &proc_dointvec,
55370 +#ifdef CONFIG_GRKERNSEC_DMESG
55372 + .ctl_name = CTL_UNNUMBERED,
55373 + .procname = "dmesg",
55374 + .data = &grsec_enable_dmesg,
55375 + .maxlen = sizeof(int),
55377 + .proc_handler = &proc_dointvec,
55380 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55382 + .ctl_name = CTL_UNNUMBERED,
55383 + .procname = "chroot_findtask",
55384 + .data = &grsec_enable_chroot_findtask,
55385 + .maxlen = sizeof(int),
55387 + .proc_handler = &proc_dointvec,
55390 +#ifdef CONFIG_GRKERNSEC_RESLOG
55392 + .ctl_name = CTL_UNNUMBERED,
55393 + .procname = "resource_logging",
55394 + .data = &grsec_resource_logging,
55395 + .maxlen = sizeof(int),
55397 + .proc_handler = &proc_dointvec,
55400 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
55402 + .ctl_name = CTL_UNNUMBERED,
55403 + .procname = "audit_ptrace",
55404 + .data = &grsec_enable_audit_ptrace,
55405 + .maxlen = sizeof(int),
55407 + .proc_handler = &proc_dointvec,
55410 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
55412 + .ctl_name = CTL_UNNUMBERED,
55413 + .procname = "harden_ptrace",
55414 + .data = &grsec_enable_harden_ptrace,
55415 + .maxlen = sizeof(int),
55417 + .proc_handler = &proc_dointvec,
55421 + .ctl_name = CTL_UNNUMBERED,
55422 + .procname = "grsec_lock",
55423 + .data = &grsec_lock,
55424 + .maxlen = sizeof(int),
55426 + .proc_handler = &proc_dointvec,
55429 +#ifdef CONFIG_GRKERNSEC_ROFS
55431 + .ctl_name = CTL_UNNUMBERED,
55432 + .procname = "romount_protect",
55433 + .data = &grsec_enable_rofs,
55434 + .maxlen = sizeof(int),
55436 + .proc_handler = &proc_dointvec_minmax,
55441 + { .ctl_name = 0 }
55444 diff -urNp linux-2.6.32.43/grsecurity/grsec_time.c linux-2.6.32.43/grsecurity/grsec_time.c
55445 --- linux-2.6.32.43/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
55446 +++ linux-2.6.32.43/grsecurity/grsec_time.c 2011-04-17 15:56:46.000000000 -0400
55448 +#include <linux/kernel.h>
55449 +#include <linux/sched.h>
55450 +#include <linux/grinternal.h>
55451 +#include <linux/module.h>
55454 +gr_log_timechange(void)
55456 +#ifdef CONFIG_GRKERNSEC_TIME
55457 + if (grsec_enable_time)
55458 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
55463 +EXPORT_SYMBOL(gr_log_timechange);
55464 diff -urNp linux-2.6.32.43/grsecurity/grsec_tpe.c linux-2.6.32.43/grsecurity/grsec_tpe.c
55465 --- linux-2.6.32.43/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
55466 +++ linux-2.6.32.43/grsecurity/grsec_tpe.c 2011-04-17 15:56:46.000000000 -0400
55468 +#include <linux/kernel.h>
55469 +#include <linux/sched.h>
55470 +#include <linux/file.h>
55471 +#include <linux/fs.h>
55472 +#include <linux/grinternal.h>
55474 +extern int gr_acl_tpe_check(void);
55477 +gr_tpe_allow(const struct file *file)
55479 +#ifdef CONFIG_GRKERNSEC
55480 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
55481 + const struct cred *cred = current_cred();
55483 + if (cred->uid && ((grsec_enable_tpe &&
55484 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
55485 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
55486 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
55488 + in_group_p(grsec_tpe_gid)
55490 + ) || gr_acl_tpe_check()) &&
55491 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
55492 + (inode->i_mode & S_IWOTH))))) {
55493 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55496 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
55497 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
55498 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
55499 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
55500 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
55507 diff -urNp linux-2.6.32.43/grsecurity/grsum.c linux-2.6.32.43/grsecurity/grsum.c
55508 --- linux-2.6.32.43/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
55509 +++ linux-2.6.32.43/grsecurity/grsum.c 2011-04-17 15:56:46.000000000 -0400
55511 +#include <linux/err.h>
55512 +#include <linux/kernel.h>
55513 +#include <linux/sched.h>
55514 +#include <linux/mm.h>
55515 +#include <linux/scatterlist.h>
55516 +#include <linux/crypto.h>
55517 +#include <linux/gracl.h>
55520 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
55521 +#error "crypto and sha256 must be built into the kernel"
55525 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
55528 + struct crypto_hash *tfm;
55529 + struct hash_desc desc;
55530 + struct scatterlist sg;
55531 + unsigned char temp_sum[GR_SHA_LEN];
55532 + volatile int retval = 0;
55533 + volatile int dummy = 0;
55536 + sg_init_table(&sg, 1);
55538 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
55539 + if (IS_ERR(tfm)) {
55540 + /* should never happen, since sha256 should be built in */
55547 + crypto_hash_init(&desc);
55550 + sg_set_buf(&sg, p, GR_SALT_LEN);
55551 + crypto_hash_update(&desc, &sg, sg.length);
55554 + sg_set_buf(&sg, p, strlen(p));
55556 + crypto_hash_update(&desc, &sg, sg.length);
55558 + crypto_hash_final(&desc, temp_sum);
55560 + memset(entry->pw, 0, GR_PW_LEN);
55562 + for (i = 0; i < GR_SHA_LEN; i++)
55563 + if (sum[i] != temp_sum[i])
55566 + dummy = 1; // waste a cycle
55568 + crypto_free_hash(tfm);
55572 diff -urNp linux-2.6.32.43/grsecurity/Kconfig linux-2.6.32.43/grsecurity/Kconfig
55573 --- linux-2.6.32.43/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
55574 +++ linux-2.6.32.43/grsecurity/Kconfig 2011-07-06 19:57:57.000000000 -0400
55577 +# grecurity configuration
55583 + bool "Grsecurity"
55585 + select CRYPTO_SHA256
55587 + If you say Y here, you will be able to configure many features
55588 + that will enhance the security of your system. It is highly
55589 + recommended that you say Y here and read through the help
55590 + for each option so that you fully understand the features and
55591 + can evaluate their usefulness for your machine.
55594 + prompt "Security Level"
55595 + depends on GRKERNSEC
55596 + default GRKERNSEC_CUSTOM
55598 +config GRKERNSEC_LOW
55600 + select GRKERNSEC_LINK
55601 + select GRKERNSEC_FIFO
55602 + select GRKERNSEC_EXECVE
55603 + select GRKERNSEC_RANDNET
55604 + select GRKERNSEC_DMESG
55605 + select GRKERNSEC_CHROOT
55606 + select GRKERNSEC_CHROOT_CHDIR
55609 + If you choose this option, several of the grsecurity options will
55610 + be enabled that will give you greater protection against a number
55611 + of attacks, while assuring that none of your software will have any
55612 + conflicts with the additional security measures. If you run a lot
55613 + of unusual software, or you are having problems with the higher
55614 + security levels, you should say Y here. With this option, the
55615 + following features are enabled:
55617 + - Linking restrictions
55618 + - FIFO restrictions
55619 + - Enforcing RLIMIT_NPROC on execve
55620 + - Restricted dmesg
55621 + - Enforced chdir("/") on chroot
55622 + - Runtime module disabling
55624 +config GRKERNSEC_MEDIUM
55627 + select PAX_EI_PAX
55628 + select PAX_PT_PAX_FLAGS
55629 + select PAX_HAVE_ACL_FLAGS
55630 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
55631 + select GRKERNSEC_CHROOT
55632 + select GRKERNSEC_CHROOT_SYSCTL
55633 + select GRKERNSEC_LINK
55634 + select GRKERNSEC_FIFO
55635 + select GRKERNSEC_EXECVE
55636 + select GRKERNSEC_DMESG
55637 + select GRKERNSEC_RANDNET
55638 + select GRKERNSEC_FORKFAIL
55639 + select GRKERNSEC_TIME
55640 + select GRKERNSEC_SIGNAL
55641 + select GRKERNSEC_CHROOT
55642 + select GRKERNSEC_CHROOT_UNIX
55643 + select GRKERNSEC_CHROOT_MOUNT
55644 + select GRKERNSEC_CHROOT_PIVOT
55645 + select GRKERNSEC_CHROOT_DOUBLE
55646 + select GRKERNSEC_CHROOT_CHDIR
55647 + select GRKERNSEC_CHROOT_MKNOD
55648 + select GRKERNSEC_PROC
55649 + select GRKERNSEC_PROC_USERGROUP
55650 + select PAX_RANDUSTACK
55652 + select PAX_RANDMMAP
55653 + select PAX_REFCOUNT if (X86 || SPARC64)
55654 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
55657 + If you say Y here, several features in addition to those included
55658 + in the low additional security level will be enabled. These
55659 + features provide even more security to your system, though in rare
55660 + cases they may be incompatible with very old or poorly written
55661 + software. If you enable this option, make sure that your auth
55662 + service (identd) is running as gid 1001. With this option,
55663 + the following features (in addition to those provided in the
55664 + low additional security level) will be enabled:
55666 + - Failed fork logging
55667 + - Time change logging
55669 + - Deny mounts in chroot
55670 + - Deny double chrooting
55671 + - Deny sysctl writes in chroot
55672 + - Deny mknod in chroot
55673 + - Deny access to abstract AF_UNIX sockets out of chroot
55674 + - Deny pivot_root in chroot
55675 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
55676 + - /proc restrictions with special GID set to 10 (usually wheel)
55677 + - Address Space Layout Randomization (ASLR)
55678 + - Prevent exploitation of most refcount overflows
55679 + - Bounds checking of copying between the kernel and userland
55681 +config GRKERNSEC_HIGH
55683 + select GRKERNSEC_LINK
55684 + select GRKERNSEC_FIFO
55685 + select GRKERNSEC_EXECVE
55686 + select GRKERNSEC_DMESG
55687 + select GRKERNSEC_FORKFAIL
55688 + select GRKERNSEC_TIME
55689 + select GRKERNSEC_SIGNAL
55690 + select GRKERNSEC_CHROOT
55691 + select GRKERNSEC_CHROOT_SHMAT
55692 + select GRKERNSEC_CHROOT_UNIX
55693 + select GRKERNSEC_CHROOT_MOUNT
55694 + select GRKERNSEC_CHROOT_FCHDIR
55695 + select GRKERNSEC_CHROOT_PIVOT
55696 + select GRKERNSEC_CHROOT_DOUBLE
55697 + select GRKERNSEC_CHROOT_CHDIR
55698 + select GRKERNSEC_CHROOT_MKNOD
55699 + select GRKERNSEC_CHROOT_CAPS
55700 + select GRKERNSEC_CHROOT_SYSCTL
55701 + select GRKERNSEC_CHROOT_FINDTASK
55702 + select GRKERNSEC_SYSFS_RESTRICT
55703 + select GRKERNSEC_PROC
55704 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
55705 + select GRKERNSEC_HIDESYM
55706 + select GRKERNSEC_BRUTE
55707 + select GRKERNSEC_PROC_USERGROUP
55708 + select GRKERNSEC_KMEM
55709 + select GRKERNSEC_RESLOG
55710 + select GRKERNSEC_RANDNET
55711 + select GRKERNSEC_PROC_ADD
55712 + select GRKERNSEC_CHROOT_CHMOD
55713 + select GRKERNSEC_CHROOT_NICE
55714 + select GRKERNSEC_AUDIT_MOUNT
55715 + select GRKERNSEC_MODHARDEN if (MODULES)
55716 + select GRKERNSEC_HARDEN_PTRACE
55717 + select GRKERNSEC_VM86 if (X86_32)
55718 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
55720 + select PAX_RANDUSTACK
55722 + select PAX_RANDMMAP
55723 + select PAX_NOEXEC
55724 + select PAX_MPROTECT
55725 + select PAX_EI_PAX
55726 + select PAX_PT_PAX_FLAGS
55727 + select PAX_HAVE_ACL_FLAGS
55728 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
55729 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
55730 + select PAX_RANDKSTACK if (X86_TSC && X86)
55731 + select PAX_SEGMEXEC if (X86_32)
55732 + select PAX_PAGEEXEC
55733 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
55734 + select PAX_EMUTRAMP if (PARISC)
55735 + select PAX_EMUSIGRT if (PARISC)
55736 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
55737 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
55738 + select PAX_REFCOUNT if (X86 || SPARC64)
55739 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
55741 + If you say Y here, many of the features of grsecurity will be
55742 + enabled, which will protect you against many kinds of attacks
55743 + against your system. The heightened security comes at a cost
55744 + of an increased chance of incompatibilities with rare software
55745 + on your machine. Since this security level enables PaX, you should
55746 + view <http://pax.grsecurity.net> and read about the PaX
55747 + project. While you are there, download chpax and run it on
55748 + binaries that cause problems with PaX. Also remember that
55749 + since the /proc restrictions are enabled, you must run your
55750 + identd as gid 1001. This security level enables the following
55751 + features in addition to those listed in the low and medium
55754 + - Additional /proc restrictions
55755 + - Chmod restrictions in chroot
55756 + - No signals, ptrace, or viewing of processes outside of chroot
55757 + - Capability restrictions in chroot
55758 + - Deny fchdir out of chroot
55759 + - Priority restrictions in chroot
55760 + - Segmentation-based implementation of PaX
55761 + - Mprotect restrictions
55762 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
55763 + - Kernel stack randomization
55764 + - Mount/unmount/remount logging
55765 + - Kernel symbol hiding
55766 + - Prevention of memory exhaustion-based exploits
55767 + - Hardening of module auto-loading
55768 + - Ptrace restrictions
55769 + - Restricted vm86 mode
55770 + - Restricted sysfs/debugfs
55771 + - Active kernel exploit response
55773 +config GRKERNSEC_CUSTOM
55776 + If you say Y here, you will be able to configure every grsecurity
55777 + option, which allows you to enable many more features that aren't
55778 + covered in the basic security levels. These additional features
55779 + include TPE, socket restrictions, and the sysctl system for
55780 + grsecurity. It is advised that you read through the help for
55781 + each option to determine its usefulness in your situation.
55785 +menu "Address Space Protection"
55786 +depends on GRKERNSEC
55788 +config GRKERNSEC_KMEM
55789 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
55790 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
55792 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
55793 + be written to via mmap or otherwise to modify the running kernel.
55794 + /dev/port will also not be allowed to be opened. If you have module
55795 + support disabled, enabling this will close up four ways that are
55796 + currently used to insert malicious code into the running kernel.
55797 + Even with all these features enabled, we still highly recommend that
55798 + you use the RBAC system, as it is still possible for an attacker to
55799 + modify the running kernel through privileged I/O granted by ioperm/iopl.
55800 + If you are not using XFree86, you may be able to stop this additional
55801 + case by enabling the 'Disable privileged I/O' option. Though nothing
55802 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
55803 + but only to video memory, which is the only writing we allow in this
55804 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
55805 + not be allowed to mprotect it with PROT_WRITE later.
55806 + It is highly recommended that you say Y here if you meet all the
55807 + conditions above.
55809 +config GRKERNSEC_VM86
55810 + bool "Restrict VM86 mode"
55811 + depends on X86_32
55814 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
55815 + make use of a special execution mode on 32bit x86 processors called
55816 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
55817 + video cards and will still work with this option enabled. The purpose
55818 + of the option is to prevent exploitation of emulation errors in
55819 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
55820 + Nearly all users should be able to enable this option.
55822 +config GRKERNSEC_IO
55823 + bool "Disable privileged I/O"
55826 + select RTC_INTF_DEV
55827 + select RTC_DRV_CMOS
55830 + If you say Y here, all ioperm and iopl calls will return an error.
55831 + Ioperm and iopl can be used to modify the running kernel.
55832 + Unfortunately, some programs need this access to operate properly,
55833 + the most notable of which are XFree86 and hwclock. hwclock can be
55834 + remedied by having RTC support in the kernel, so real-time
55835 + clock support is enabled if this option is enabled, to ensure
55836 + that hwclock operates correctly. XFree86 still will not
55837 + operate correctly with this option enabled, so DO NOT CHOOSE Y
55838 + IF YOU USE XFree86. If you use XFree86 and you still want to
55839 + protect your kernel against modification, use the RBAC system.
55841 +config GRKERNSEC_PROC_MEMMAP
55842 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
55843 + default y if (PAX_NOEXEC || PAX_ASLR)
55844 + depends on PAX_NOEXEC || PAX_ASLR
55846 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
55847 + give no information about the addresses of its mappings if
55848 + PaX features that rely on random addresses are enabled on the task.
55849 + If you use PaX it is greatly recommended that you say Y here as it
55850 + closes up a hole that makes the full ASLR useless for suid
55853 +config GRKERNSEC_BRUTE
55854 + bool "Deter exploit bruteforcing"
55856 + If you say Y here, attempts to bruteforce exploits against forking
55857 + daemons such as apache or sshd, as well as against suid/sgid binaries
55858 + will be deterred. When a child of a forking daemon is killed by PaX
55859 + or crashes due to an illegal instruction or other suspicious signal,
55860 + the parent process will be delayed 30 seconds upon every subsequent
55861 + fork until the administrator is able to assess the situation and
55862 + restart the daemon.
55863 + In the suid/sgid case, the attempt is logged, the user has all their
55864 + processes terminated, and they are prevented from executing any further
55865 + processes for 15 minutes.
55866 + It is recommended that you also enable signal logging in the auditing
55867 + section so that logs are generated when a process triggers a suspicious
55869 + If the sysctl option is enabled, a sysctl option with name
55870 + "deter_bruteforce" is created.
55872 +config GRKERNSEC_MODHARDEN
55873 + bool "Harden module auto-loading"
55874 + depends on MODULES
55876 + If you say Y here, module auto-loading in response to use of some
55877 + feature implemented by an unloaded module will be restricted to
55878 + root users. Enabling this option helps defend against attacks
55879 + by unprivileged users who abuse the auto-loading behavior to
55880 + cause a vulnerable module to load that is then exploited.
55882 + If this option prevents a legitimate use of auto-loading for a
55883 + non-root user, the administrator can execute modprobe manually
55884 + with the exact name of the module mentioned in the alert log.
55885 + Alternatively, the administrator can add the module to the list
55886 + of modules loaded at boot by modifying init scripts.
55888 + Modification of init scripts will most likely be needed on
55889 + Ubuntu servers with encrypted home directory support enabled,
55890 + as the first non-root user logging in will cause the ecb(aes),
55891 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
55893 +config GRKERNSEC_HIDESYM
55894 + bool "Hide kernel symbols"
55896 + If you say Y here, getting information on loaded modules, and
55897 + displaying all kernel symbols through a syscall will be restricted
55898 + to users with CAP_SYS_MODULE. For software compatibility reasons,
55899 + /proc/kallsyms will be restricted to the root user. The RBAC
55900 + system can hide that entry even from root.
55902 + This option also prevents leaking of kernel addresses through
55903 + several /proc entries.
55905 + Note that this option is only effective provided the following
55906 + conditions are met:
55907 + 1) The kernel using grsecurity is not precompiled by some distribution
55908 + 2) You have also enabled GRKERNSEC_DMESG
55909 + 3) You are using the RBAC system and hiding other files such as your
55910 + kernel image and System.map. Alternatively, enabling this option
55911 + causes the permissions on /boot, /lib/modules, and the kernel
55912 + source directory to change at compile time to prevent
55913 + reading by non-root users.
55914 + If the above conditions are met, this option will aid in providing a
55915 + useful protection against local kernel exploitation of overflows
55916 + and arbitrary read/write vulnerabilities.
55918 +config GRKERNSEC_KERN_LOCKOUT
55919 + bool "Active kernel exploit response"
55920 + depends on X86 || ARM || PPC || SPARC
55922 + If you say Y here, when a PaX alert is triggered due to suspicious
55923 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
55924 + or an OOPs occurs due to bad memory accesses, instead of just
55925 + terminating the offending process (and potentially allowing
55926 + a subsequent exploit from the same user), we will take one of two
55928 + If the user was root, we will panic the system
55929 + If the user was non-root, we will log the attempt, terminate
55930 + all processes owned by the user, then prevent them from creating
55931 + any new processes until the system is restarted
55932 + This deters repeated kernel exploitation/bruteforcing attempts
55933 + and is useful for later forensics.
55936 +menu "Role Based Access Control Options"
55937 +depends on GRKERNSEC
55939 +config GRKERNSEC_RBAC_DEBUG
55942 +config GRKERNSEC_NO_RBAC
55943 + bool "Disable RBAC system"
55945 + If you say Y here, the /dev/grsec device will be removed from the kernel,
55946 + preventing the RBAC system from being enabled. You should only say Y
55947 + here if you have no intention of using the RBAC system, so as to prevent
55948 + an attacker with root access from misusing the RBAC system to hide files
55949 + and processes when loadable module support and /dev/[k]mem have been
55952 +config GRKERNSEC_ACL_HIDEKERN
55953 + bool "Hide kernel processes"
55955 + If you say Y here, all kernel threads will be hidden to all
55956 + processes but those whose subject has the "view hidden processes"
55959 +config GRKERNSEC_ACL_MAXTRIES
55960 + int "Maximum tries before password lockout"
55963 + This option enforces the maximum number of times a user can attempt
55964 + to authorize themselves with the grsecurity RBAC system before being
55965 + denied the ability to attempt authorization again for a specified time.
55966 + The lower the number, the harder it will be to brute-force a password.
55968 +config GRKERNSEC_ACL_TIMEOUT
55969 + int "Time to wait after max password tries, in seconds"
55972 + This option specifies the time the user must wait after attempting to
55973 + authorize to the RBAC system with the maximum number of invalid
55974 + passwords. The higher the number, the harder it will be to brute-force
55978 +menu "Filesystem Protections"
55979 +depends on GRKERNSEC
55981 +config GRKERNSEC_PROC
55982 + bool "Proc restrictions"
55984 + If you say Y here, the permissions of the /proc filesystem
55985 + will be altered to enhance system security and privacy. You MUST
55986 + choose either a user only restriction or a user and group restriction.
55987 + Depending upon the option you choose, you can either restrict users to
55988 + see only the processes they themselves run, or choose a group that can
55989 + view all processes and files normally restricted to root if you choose
55990 + the "restrict to user only" option. NOTE: If you're running identd as
55991 + a non-root user, you will have to run it as the group you specify here.
55993 +config GRKERNSEC_PROC_USER
55994 + bool "Restrict /proc to user only"
55995 + depends on GRKERNSEC_PROC
55997 + If you say Y here, non-root users will only be able to view their own
55998 + processes, and restricts them from viewing network-related information,
55999 + and viewing kernel symbol and module information.
56001 +config GRKERNSEC_PROC_USERGROUP
56002 + bool "Allow special group"
56003 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
56005 + If you say Y here, you will be able to select a group that will be
56006 + able to view all processes and network-related information. If you've
56007 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
56008 + remain hidden. This option is useful if you want to run identd as
56011 +config GRKERNSEC_PROC_GID
56012 + int "GID for special group"
56013 + depends on GRKERNSEC_PROC_USERGROUP
56016 +config GRKERNSEC_PROC_ADD
56017 + bool "Additional restrictions"
56018 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
56020 + If you say Y here, additional restrictions will be placed on
56021 + /proc that keep normal users from viewing device information and
56022 + slabinfo information that could be useful for exploits.
56024 +config GRKERNSEC_LINK
56025 + bool "Linking restrictions"
56027 + If you say Y here, /tmp race exploits will be prevented, since users
56028 + will no longer be able to follow symlinks owned by other users in
56029 + world-writable +t directories (e.g. /tmp), unless the owner of the
56030 + symlink is the owner of the directory. users will also not be
56031 + able to hardlink to files they do not own. If the sysctl option is
56032 + enabled, a sysctl option with name "linking_restrictions" is created.
56034 +config GRKERNSEC_FIFO
56035 + bool "FIFO restrictions"
56037 + If you say Y here, users will not be able to write to FIFOs they don't
56038 + own in world-writable +t directories (e.g. /tmp), unless the owner of
56039 + the FIFO is the same owner of the directory it's held in. If the sysctl
56040 + option is enabled, a sysctl option with name "fifo_restrictions" is
56043 +config GRKERNSEC_SYSFS_RESTRICT
56044 + bool "Sysfs/debugfs restriction"
56047 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
56048 + any filesystem normally mounted under it (e.g. debugfs) will only
56049 + be accessible by root. These filesystems generally provide access
56050 + to hardware and debug information that isn't appropriate for unprivileged
56051 + users of the system. Sysfs and debugfs have also become a large source
56052 + of new vulnerabilities, ranging from infoleaks to local compromise.
56053 + There has been very little oversight with an eye toward security involved
56054 + in adding new exporters of information to these filesystems, so their
56055 + use is discouraged.
56056 + This option is equivalent to a chmod 0700 of the mount paths.
56058 +config GRKERNSEC_ROFS
56059 + bool "Runtime read-only mount protection"
56061 + If you say Y here, a sysctl option with name "romount_protect" will
56062 + be created. By setting this option to 1 at runtime, filesystems
56063 + will be protected in the following ways:
56064 + * No new writable mounts will be allowed
56065 + * Existing read-only mounts won't be able to be remounted read/write
56066 + * Write operations will be denied on all block devices
56067 + This option acts independently of grsec_lock: once it is set to 1,
56068 + it cannot be turned off. Therefore, please be mindful of the resulting
56069 + behavior if this option is enabled in an init script on a read-only
56070 + filesystem. This feature is mainly intended for secure embedded systems.
56072 +config GRKERNSEC_CHROOT
56073 + bool "Chroot jail restrictions"
56075 + If you say Y here, you will be able to choose several options that will
56076 + make breaking out of a chrooted jail much more difficult. If you
56077 + encounter no software incompatibilities with the following options, it
56078 + is recommended that you enable each one.
56080 +config GRKERNSEC_CHROOT_MOUNT
56081 + bool "Deny mounts"
56082 + depends on GRKERNSEC_CHROOT
56084 + If you say Y here, processes inside a chroot will not be able to
56085 + mount or remount filesystems. If the sysctl option is enabled, a
56086 + sysctl option with name "chroot_deny_mount" is created.
56088 +config GRKERNSEC_CHROOT_DOUBLE
56089 + bool "Deny double-chroots"
56090 + depends on GRKERNSEC_CHROOT
56092 + If you say Y here, processes inside a chroot will not be able to chroot
56093 + again outside the chroot. This is a widely used method of breaking
56094 + out of a chroot jail and should not be allowed. If the sysctl
56095 + option is enabled, a sysctl option with name
56096 + "chroot_deny_chroot" is created.
56098 +config GRKERNSEC_CHROOT_PIVOT
56099 + bool "Deny pivot_root in chroot"
56100 + depends on GRKERNSEC_CHROOT
56102 + If you say Y here, processes inside a chroot will not be able to use
56103 + a function called pivot_root() that was introduced in Linux 2.3.41. It
56104 + works similar to chroot in that it changes the root filesystem. This
56105 + function could be misused in a chrooted process to attempt to break out
56106 + of the chroot, and therefore should not be allowed. If the sysctl
56107 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
56110 +config GRKERNSEC_CHROOT_CHDIR
56111 + bool "Enforce chdir(\"/\") on all chroots"
56112 + depends on GRKERNSEC_CHROOT
56114 + If you say Y here, the current working directory of all newly-chrooted
56115 + applications will be set to the the root directory of the chroot.
56116 + The man page on chroot(2) states:
56117 + Note that this call does not change the current working
56118 + directory, so that `.' can be outside the tree rooted at
56119 + `/'. In particular, the super-user can escape from a
56120 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
56122 + It is recommended that you say Y here, since it's not known to break
56123 + any software. If the sysctl option is enabled, a sysctl option with
56124 + name "chroot_enforce_chdir" is created.
56126 +config GRKERNSEC_CHROOT_CHMOD
56127 + bool "Deny (f)chmod +s"
56128 + depends on GRKERNSEC_CHROOT
56130 + If you say Y here, processes inside a chroot will not be able to chmod
56131 + or fchmod files to make them have suid or sgid bits. This protects
56132 + against another published method of breaking a chroot. If the sysctl
56133 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
56136 +config GRKERNSEC_CHROOT_FCHDIR
56137 + bool "Deny fchdir out of chroot"
56138 + depends on GRKERNSEC_CHROOT
56140 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
56141 + to a file descriptor of the chrooting process that points to a directory
56142 + outside the filesystem will be stopped. If the sysctl option
56143 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
56145 +config GRKERNSEC_CHROOT_MKNOD
56146 + bool "Deny mknod"
56147 + depends on GRKERNSEC_CHROOT
56149 + If you say Y here, processes inside a chroot will not be allowed to
56150 + mknod. The problem with using mknod inside a chroot is that it
56151 + would allow an attacker to create a device entry that is the same
56152 + as one on the physical root of your system, which could range from
56153 + anything from the console device to a device for your harddrive (which
56154 + they could then use to wipe the drive or steal data). It is recommended
56155 + that you say Y here, unless you run into software incompatibilities.
56156 + If the sysctl option is enabled, a sysctl option with name
56157 + "chroot_deny_mknod" is created.
56159 +config GRKERNSEC_CHROOT_SHMAT
56160 + bool "Deny shmat() out of chroot"
56161 + depends on GRKERNSEC_CHROOT
56163 + If you say Y here, processes inside a chroot will not be able to attach
56164 + to shared memory segments that were created outside of the chroot jail.
56165 + It is recommended that you say Y here. If the sysctl option is enabled,
56166 + a sysctl option with name "chroot_deny_shmat" is created.
56168 +config GRKERNSEC_CHROOT_UNIX
56169 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
56170 + depends on GRKERNSEC_CHROOT
56172 + If you say Y here, processes inside a chroot will not be able to
56173 + connect to abstract (meaning not belonging to a filesystem) Unix
56174 + domain sockets that were bound outside of a chroot. It is recommended
56175 + that you say Y here. If the sysctl option is enabled, a sysctl option
56176 + with name "chroot_deny_unix" is created.
56178 +config GRKERNSEC_CHROOT_FINDTASK
56179 + bool "Protect outside processes"
56180 + depends on GRKERNSEC_CHROOT
56182 + If you say Y here, processes inside a chroot will not be able to
56183 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
56184 + getsid, or view any process outside of the chroot. If the sysctl
56185 + option is enabled, a sysctl option with name "chroot_findtask" is
56188 +config GRKERNSEC_CHROOT_NICE
56189 + bool "Restrict priority changes"
56190 + depends on GRKERNSEC_CHROOT
56192 + If you say Y here, processes inside a chroot will not be able to raise
56193 + the priority of processes in the chroot, or alter the priority of
56194 + processes outside the chroot. This provides more security than simply
56195 + removing CAP_SYS_NICE from the process' capability set. If the
56196 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
56199 +config GRKERNSEC_CHROOT_SYSCTL
56200 + bool "Deny sysctl writes"
56201 + depends on GRKERNSEC_CHROOT
56203 + If you say Y here, an attacker in a chroot will not be able to
56204 + write to sysctl entries, either by sysctl(2) or through a /proc
56205 + interface. It is strongly recommended that you say Y here. If the
56206 + sysctl option is enabled, a sysctl option with name
56207 + "chroot_deny_sysctl" is created.
56209 +config GRKERNSEC_CHROOT_CAPS
56210 + bool "Capability restrictions"
56211 + depends on GRKERNSEC_CHROOT
56213 + If you say Y here, the capabilities on all root processes within a
56214 + chroot jail will be lowered to stop module insertion, raw i/o,
56215 + system and net admin tasks, rebooting the system, modifying immutable
56216 + files, modifying IPC owned by another, and changing the system time.
56217 + This is left an option because it can break some apps. Disable this
56218 + if your chrooted apps are having problems performing those kinds of
56219 + tasks. If the sysctl option is enabled, a sysctl option with
56220 + name "chroot_caps" is created.
56223 +menu "Kernel Auditing"
56224 +depends on GRKERNSEC
56226 +config GRKERNSEC_AUDIT_GROUP
56227 + bool "Single group for auditing"
56229 + If you say Y here, the exec, chdir, and (un)mount logging features
56230 + will only operate on a group you specify. This option is recommended
56231 + if you only want to watch certain users instead of having a large
56232 + amount of logs from the entire system. If the sysctl option is enabled,
56233 + a sysctl option with name "audit_group" is created.
56235 +config GRKERNSEC_AUDIT_GID
56236 + int "GID for auditing"
56237 + depends on GRKERNSEC_AUDIT_GROUP
56240 +config GRKERNSEC_EXECLOG
56241 + bool "Exec logging"
56243 + If you say Y here, all execve() calls will be logged (since the
56244 + other exec*() calls are frontends to execve(), all execution
56245 + will be logged). Useful for shell-servers that like to keep track
56246 + of their users. If the sysctl option is enabled, a sysctl option with
56247 + name "exec_logging" is created.
56248 + WARNING: This option when enabled will produce a LOT of logs, especially
56249 + on an active system.
56251 +config GRKERNSEC_RESLOG
56252 + bool "Resource logging"
56254 + If you say Y here, all attempts to overstep resource limits will
56255 + be logged with the resource name, the requested size, and the current
56256 + limit. It is highly recommended that you say Y here. If the sysctl
56257 + option is enabled, a sysctl option with name "resource_logging" is
56258 + created. If the RBAC system is enabled, the sysctl value is ignored.
56260 +config GRKERNSEC_CHROOT_EXECLOG
56261 + bool "Log execs within chroot"
56263 + If you say Y here, all executions inside a chroot jail will be logged
56264 + to syslog. This can cause a large amount of logs if certain
56265 + applications (eg. djb's daemontools) are installed on the system, and
56266 + is therefore left as an option. If the sysctl option is enabled, a
56267 + sysctl option with name "chroot_execlog" is created.
56269 +config GRKERNSEC_AUDIT_PTRACE
56270 + bool "Ptrace logging"
56272 + If you say Y here, all attempts to attach to a process via ptrace
56273 + will be logged. If the sysctl option is enabled, a sysctl option
56274 + with name "audit_ptrace" is created.
56276 +config GRKERNSEC_AUDIT_CHDIR
56277 + bool "Chdir logging"
56279 + If you say Y here, all chdir() calls will be logged. If the sysctl
56280 + option is enabled, a sysctl option with name "audit_chdir" is created.
56282 +config GRKERNSEC_AUDIT_MOUNT
56283 + bool "(Un)Mount logging"
56285 + If you say Y here, all mounts and unmounts will be logged. If the
56286 + sysctl option is enabled, a sysctl option with name "audit_mount" is
56289 +config GRKERNSEC_SIGNAL
56290 + bool "Signal logging"
56292 + If you say Y here, certain important signals will be logged, such as
56293 + SIGSEGV, which will as a result inform you of when a error in a program
56294 + occurred, which in some cases could mean a possible exploit attempt.
56295 + If the sysctl option is enabled, a sysctl option with name
56296 + "signal_logging" is created.
56298 +config GRKERNSEC_FORKFAIL
56299 + bool "Fork failure logging"
56301 + If you say Y here, all failed fork() attempts will be logged.
56302 + This could suggest a fork bomb, or someone attempting to overstep
56303 + their process limit. If the sysctl option is enabled, a sysctl option
56304 + with name "forkfail_logging" is created.
56306 +config GRKERNSEC_TIME
56307 + bool "Time change logging"
56309 + If you say Y here, any changes of the system clock will be logged.
56310 + If the sysctl option is enabled, a sysctl option with name
56311 + "timechange_logging" is created.
56313 +config GRKERNSEC_PROC_IPADDR
56314 + bool "/proc/<pid>/ipaddr support"
56316 + If you say Y here, a new entry will be added to each /proc/<pid>
56317 + directory that contains the IP address of the person using the task.
56318 + The IP is carried across local TCP and AF_UNIX stream sockets.
56319 + This information can be useful for IDS/IPSes to perform remote response
56320 + to a local attack. The entry is readable by only the owner of the
56321 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
56322 + the RBAC system), and thus does not create privacy concerns.
56324 +config GRKERNSEC_RWXMAP_LOG
56325 + bool 'Denied RWX mmap/mprotect logging'
56326 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
56328 + If you say Y here, calls to mmap() and mprotect() with explicit
56329 + usage of PROT_WRITE and PROT_EXEC together will be logged when
56330 + denied by the PAX_MPROTECT feature. If the sysctl option is
56331 + enabled, a sysctl option with name "rwxmap_logging" is created.
56333 +config GRKERNSEC_AUDIT_TEXTREL
56334 + bool 'ELF text relocations logging (READ HELP)'
56335 + depends on PAX_MPROTECT
56337 + If you say Y here, text relocations will be logged with the filename
56338 + of the offending library or binary. The purpose of the feature is
56339 + to help Linux distribution developers get rid of libraries and
56340 + binaries that need text relocations which hinder the future progress
56341 + of PaX. Only Linux distribution developers should say Y here, and
56342 + never on a production machine, as this option creates an information
56343 + leak that could aid an attacker in defeating the randomization of
56344 + a single memory region. If the sysctl option is enabled, a sysctl
56345 + option with name "audit_textrel" is created.
56349 +menu "Executable Protections"
56350 +depends on GRKERNSEC
56352 +config GRKERNSEC_EXECVE
56353 + bool "Enforce RLIMIT_NPROC on execs"
56355 + If you say Y here, users with a resource limit on processes will
56356 + have the value checked during execve() calls. The current system
56357 + only checks the system limit during fork() calls. If the sysctl option
56358 + is enabled, a sysctl option with name "execve_limiting" is created.
56360 +config GRKERNSEC_DMESG
56361 + bool "Dmesg(8) restriction"
56363 + If you say Y here, non-root users will not be able to use dmesg(8)
56364 + to view up to the last 4kb of messages in the kernel's log buffer.
56365 + The kernel's log buffer often contains kernel addresses and other
56366 + identifying information useful to an attacker in fingerprinting a
56367 + system for a targeted exploit.
56368 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
56371 +config GRKERNSEC_HARDEN_PTRACE
56372 + bool "Deter ptrace-based process snooping"
56374 + If you say Y here, TTY sniffers and other malicious monitoring
56375 + programs implemented through ptrace will be defeated. If you
56376 + have been using the RBAC system, this option has already been
56377 + enabled for several years for all users, with the ability to make
56378 + fine-grained exceptions.
56380 + This option only affects the ability of non-root users to ptrace
56381 + processes that are not a descendent of the ptracing process.
56382 + This means that strace ./binary and gdb ./binary will still work,
56383 + but attaching to arbitrary processes will not. If the sysctl
56384 + option is enabled, a sysctl option with name "harden_ptrace" is
56387 +config GRKERNSEC_TPE
56388 + bool "Trusted Path Execution (TPE)"
56390 + If you say Y here, you will be able to choose a gid to add to the
56391 + supplementary groups of users you want to mark as "untrusted."
56392 + These users will not be able to execute any files that are not in
56393 + root-owned directories writable only by root. If the sysctl option
56394 + is enabled, a sysctl option with name "tpe" is created.
56396 +config GRKERNSEC_TPE_ALL
56397 + bool "Partially restrict all non-root users"
56398 + depends on GRKERNSEC_TPE
56400 + If you say Y here, all non-root users will be covered under
56401 + a weaker TPE restriction. This is separate from, and in addition to,
56402 + the main TPE options that you have selected elsewhere. Thus, if a
56403 + "trusted" GID is chosen, this restriction applies to even that GID.
56404 + Under this restriction, all non-root users will only be allowed to
56405 + execute files in directories they own that are not group or
56406 + world-writable, or in directories owned by root and writable only by
56407 + root. If the sysctl option is enabled, a sysctl option with name
56408 + "tpe_restrict_all" is created.
56410 +config GRKERNSEC_TPE_INVERT
56411 + bool "Invert GID option"
56412 + depends on GRKERNSEC_TPE
56414 + If you say Y here, the group you specify in the TPE configuration will
56415 + decide what group TPE restrictions will be *disabled* for. This
56416 + option is useful if you want TPE restrictions to be applied to most
56417 + users on the system. If the sysctl option is enabled, a sysctl option
56418 + with name "tpe_invert" is created. Unlike other sysctl options, this
56419 + entry will default to on for backward-compatibility.
56421 +config GRKERNSEC_TPE_GID
56422 + int "GID for untrusted users"
56423 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
56426 + Setting this GID determines what group TPE restrictions will be
56427 + *enabled* for. If the sysctl option is enabled, a sysctl option
56428 + with name "tpe_gid" is created.
56430 +config GRKERNSEC_TPE_GID
56431 + int "GID for trusted users"
56432 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
56435 + Setting this GID determines what group TPE restrictions will be
56436 + *disabled* for. If the sysctl option is enabled, a sysctl option
56437 + with name "tpe_gid" is created.
56440 +menu "Network Protections"
56441 +depends on GRKERNSEC
56443 +config GRKERNSEC_RANDNET
56444 + bool "Larger entropy pools"
56446 + If you say Y here, the entropy pools used for many features of Linux
56447 + and grsecurity will be doubled in size. Since several grsecurity
56448 + features use additional randomness, it is recommended that you say Y
56449 + here. Saying Y here has a similar effect as modifying
56450 + /proc/sys/kernel/random/poolsize.
56452 +config GRKERNSEC_BLACKHOLE
56453 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
56455 + If you say Y here, neither TCP resets nor ICMP
56456 + destination-unreachable packets will be sent in response to packets
56457 + sent to ports for which no associated listening process exists.
56458 + This feature supports both IPV4 and IPV6 and exempts the
56459 + loopback interface from blackholing. Enabling this feature
56460 + makes a host more resilient to DoS attacks and reduces network
56461 + visibility against scanners.
56463 + The blackhole feature as-implemented is equivalent to the FreeBSD
56464 + blackhole feature, as it prevents RST responses to all packets, not
56465 + just SYNs. Under most application behavior this causes no
56466 + problems, but applications (like haproxy) may not close certain
56467 + connections in a way that cleanly terminates them on the remote
56468 + end, leaving the remote host in LAST_ACK state. Because of this
56469 + side-effect and to prevent intentional LAST_ACK DoSes, this
56470 + feature also adds automatic mitigation against such attacks.
56471 + The mitigation drastically reduces the amount of time a socket
56472 + can spend in LAST_ACK state. If you're using haproxy and not
56473 + all servers it connects to have this option enabled, consider
56474 + disabling this feature on the haproxy host.
56476 + If the sysctl option is enabled, two sysctl options with names
56477 + "ip_blackhole" and "lastack_retries" will be created.
56478 + While "ip_blackhole" takes the standard zero/non-zero on/off
56479 + toggle, "lastack_retries" uses the same kinds of values as
56480 + "tcp_retries1" and "tcp_retries2". The default value of 4
56481 + prevents a socket from lasting more than 45 seconds in LAST_ACK
56484 +config GRKERNSEC_SOCKET
56485 + bool "Socket restrictions"
56487 + If you say Y here, you will be able to choose from several options.
56488 + If you assign a GID on your system and add it to the supplementary
56489 + groups of users you want to restrict socket access to, this patch
56490 + will perform up to three things, based on the option(s) you choose.
56492 +config GRKERNSEC_SOCKET_ALL
56493 + bool "Deny any sockets to group"
56494 + depends on GRKERNSEC_SOCKET
56496 + If you say Y here, you will be able to choose a GID of whose users will
56497 + be unable to connect to other hosts from your machine or run server
56498 + applications from your machine. If the sysctl option is enabled, a
56499 + sysctl option with name "socket_all" is created.
56501 +config GRKERNSEC_SOCKET_ALL_GID
56502 + int "GID to deny all sockets for"
56503 + depends on GRKERNSEC_SOCKET_ALL
56506 + Here you can choose the GID to disable socket access for. Remember to
56507 + add the users you want socket access disabled for to the GID
56508 + specified here. If the sysctl option is enabled, a sysctl option
56509 + with name "socket_all_gid" is created.
56511 +config GRKERNSEC_SOCKET_CLIENT
56512 + bool "Deny client sockets to group"
56513 + depends on GRKERNSEC_SOCKET
56515 + If you say Y here, you will be able to choose a GID of whose users will
56516 + be unable to connect to other hosts from your machine, but will be
56517 + able to run servers. If this option is enabled, all users in the group
56518 + you specify will have to use passive mode when initiating ftp transfers
56519 + from the shell on your machine. If the sysctl option is enabled, a
56520 + sysctl option with name "socket_client" is created.
56522 +config GRKERNSEC_SOCKET_CLIENT_GID
56523 + int "GID to deny client sockets for"
56524 + depends on GRKERNSEC_SOCKET_CLIENT
56527 + Here you can choose the GID to disable client socket access for.
56528 + Remember to add the users you want client socket access disabled for to
56529 + the GID specified here. If the sysctl option is enabled, a sysctl
56530 + option with name "socket_client_gid" is created.
56532 +config GRKERNSEC_SOCKET_SERVER
56533 + bool "Deny server sockets to group"
56534 + depends on GRKERNSEC_SOCKET
56536 + If you say Y here, you will be able to choose a GID of whose users will
56537 + be unable to run server applications from your machine. If the sysctl
56538 + option is enabled, a sysctl option with name "socket_server" is created.
56540 +config GRKERNSEC_SOCKET_SERVER_GID
56541 + int "GID to deny server sockets for"
56542 + depends on GRKERNSEC_SOCKET_SERVER
56545 + Here you can choose the GID to disable server socket access for.
56546 + Remember to add the users you want server socket access disabled for to
56547 + the GID specified here. If the sysctl option is enabled, a sysctl
56548 + option with name "socket_server_gid" is created.
56551 +menu "Sysctl support"
56552 +depends on GRKERNSEC && SYSCTL
56554 +config GRKERNSEC_SYSCTL
56555 + bool "Sysctl support"
56557 + If you say Y here, you will be able to change the options that
56558 + grsecurity runs with at bootup, without having to recompile your
56559 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
56560 + to enable (1) or disable (0) various features. All the sysctl entries
56561 + are mutable until the "grsec_lock" entry is set to a non-zero value.
56562 + All features enabled in the kernel configuration are disabled at boot
56563 + if you do not say Y to the "Turn on features by default" option.
56564 + All options should be set at startup, and the grsec_lock entry should
56565 + be set to a non-zero value after all the options are set.
56566 + *THIS IS EXTREMELY IMPORTANT*
56568 +config GRKERNSEC_SYSCTL_DISTRO
56569 + bool "Extra sysctl support for distro makers (READ HELP)"
56570 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
56572 + If you say Y here, additional sysctl options will be created
56573 + for features that affect processes running as root. Therefore,
56574 + it is critical when using this option that the grsec_lock entry be
56575 + enabled after boot. Only distros with prebuilt kernel packages
56576 + with this option enabled that can ensure grsec_lock is enabled
56577 + after boot should use this option.
56578 + *Failure to set grsec_lock after boot makes all grsec features
56579 + this option covers useless*
56581 + Currently this option creates the following sysctl entries:
56582 + "Disable Privileged I/O": "disable_priv_io"
56584 +config GRKERNSEC_SYSCTL_ON
56585 + bool "Turn on features by default"
56586 + depends on GRKERNSEC_SYSCTL
56588 + If you say Y here, instead of having all features enabled in the
56589 + kernel configuration disabled at boot time, the features will be
56590 + enabled at boot time. It is recommended you say Y here unless
56591 + there is some reason you would want all sysctl-tunable features to
56592 + be disabled by default. As mentioned elsewhere, it is important
56593 + to enable the grsec_lock entry once you have finished modifying
56594 + the sysctl entries.
56597 +menu "Logging Options"
56598 +depends on GRKERNSEC
56600 +config GRKERNSEC_FLOODTIME
56601 + int "Seconds in between log messages (minimum)"
56604 + This option allows you to enforce the number of seconds between
56605 + grsecurity log messages. The default should be suitable for most
56606 + people, however, if you choose to change it, choose a value small enough
56607 + to allow informative logs to be produced, but large enough to
56608 + prevent flooding.
56610 +config GRKERNSEC_FLOODBURST
56611 + int "Number of messages in a burst (maximum)"
56614 + This option allows you to choose the maximum number of messages allowed
56615 + within the flood time interval you chose in a separate option. The
56616 + default should be suitable for most people, however if you find that
56617 + many of your logs are being interpreted as flooding, you may want to
56618 + raise this value.
56623 diff -urNp linux-2.6.32.43/grsecurity/Makefile linux-2.6.32.43/grsecurity/Makefile
56624 --- linux-2.6.32.43/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
56625 +++ linux-2.6.32.43/grsecurity/Makefile 2011-05-24 20:27:46.000000000 -0400
56627 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
56628 +# during 2001-2009 it has been completely redesigned by Brad Spengler
56629 +# into an RBAC system
56631 +# All code in this directory and various hooks inserted throughout the kernel
56632 +# are copyright Brad Spengler - Open Source Security, Inc., and released
56633 +# under the GPL v2 or higher
56635 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
56636 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
56637 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
56639 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
56640 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
56641 + gracl_learn.o grsec_log.o
56642 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
56645 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
56648 +ifndef CONFIG_GRKERNSEC
56649 +obj-y += grsec_disabled.o
56652 +ifdef CONFIG_GRKERNSEC_HIDESYM
56653 +extra-y := grsec_hidesym.o
56654 +$(obj)/grsec_hidesym.o:
56655 + @-chmod -f 500 /boot
56656 + @-chmod -f 500 /lib/modules
56658 + @echo ' grsec: protected kernel image paths'
56660 diff -urNp linux-2.6.32.43/include/acpi/acpi_bus.h linux-2.6.32.43/include/acpi/acpi_bus.h
56661 --- linux-2.6.32.43/include/acpi/acpi_bus.h 2011-03-27 14:31:47.000000000 -0400
56662 +++ linux-2.6.32.43/include/acpi/acpi_bus.h 2011-08-05 20:33:55.000000000 -0400
56663 @@ -107,7 +107,7 @@ struct acpi_device_ops {
56665 acpi_op_unbind unbind;
56666 acpi_op_notify notify;
56670 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
56672 diff -urNp linux-2.6.32.43/include/acpi/acpi_drivers.h linux-2.6.32.43/include/acpi/acpi_drivers.h
56673 --- linux-2.6.32.43/include/acpi/acpi_drivers.h 2011-03-27 14:31:47.000000000 -0400
56674 +++ linux-2.6.32.43/include/acpi/acpi_drivers.h 2011-04-17 15:56:46.000000000 -0400
56675 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
56677 -------------------------------------------------------------------------- */
56678 struct acpi_dock_ops {
56679 - acpi_notify_handler handler;
56680 - acpi_notify_handler uevent;
56681 + const acpi_notify_handler handler;
56682 + const acpi_notify_handler uevent;
56685 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
56686 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
56687 extern int register_dock_notifier(struct notifier_block *nb);
56688 extern void unregister_dock_notifier(struct notifier_block *nb);
56689 extern int register_hotplug_dock_device(acpi_handle handle,
56690 - struct acpi_dock_ops *ops,
56691 + const struct acpi_dock_ops *ops,
56693 extern void unregister_hotplug_dock_device(acpi_handle handle);
56695 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
56698 static inline int register_hotplug_dock_device(acpi_handle handle,
56699 - struct acpi_dock_ops *ops,
56700 + const struct acpi_dock_ops *ops,
56704 diff -urNp linux-2.6.32.43/include/asm-generic/atomic-long.h linux-2.6.32.43/include/asm-generic/atomic-long.h
56705 --- linux-2.6.32.43/include/asm-generic/atomic-long.h 2011-03-27 14:31:47.000000000 -0400
56706 +++ linux-2.6.32.43/include/asm-generic/atomic-long.h 2011-07-13 22:21:25.000000000 -0400
56709 typedef atomic64_t atomic_long_t;
56711 +#ifdef CONFIG_PAX_REFCOUNT
56712 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
56714 +typedef atomic64_t atomic_long_unchecked_t;
56717 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
56719 static inline long atomic_long_read(atomic_long_t *l)
56720 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
56721 return (long)atomic64_read(v);
56724 +#ifdef CONFIG_PAX_REFCOUNT
56725 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
56727 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56729 + return (long)atomic64_read_unchecked(v);
56733 static inline void atomic_long_set(atomic_long_t *l, long i)
56735 atomic64_t *v = (atomic64_t *)l;
56736 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
56737 atomic64_set(v, i);
56740 +#ifdef CONFIG_PAX_REFCOUNT
56741 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
56743 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56745 + atomic64_set_unchecked(v, i);
56749 static inline void atomic_long_inc(atomic_long_t *l)
56751 atomic64_t *v = (atomic64_t *)l;
56752 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
56756 +#ifdef CONFIG_PAX_REFCOUNT
56757 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
56759 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56761 + atomic64_inc_unchecked(v);
56765 static inline void atomic_long_dec(atomic_long_t *l)
56767 atomic64_t *v = (atomic64_t *)l;
56768 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
56772 +#ifdef CONFIG_PAX_REFCOUNT
56773 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
56775 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56777 + atomic64_dec_unchecked(v);
56781 static inline void atomic_long_add(long i, atomic_long_t *l)
56783 atomic64_t *v = (atomic64_t *)l;
56784 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
56785 atomic64_add(i, v);
56788 +#ifdef CONFIG_PAX_REFCOUNT
56789 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
56791 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56793 + atomic64_add_unchecked(i, v);
56797 static inline void atomic_long_sub(long i, atomic_long_t *l)
56799 atomic64_t *v = (atomic64_t *)l;
56800 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
56801 return (long)atomic64_inc_return(v);
56804 +#ifdef CONFIG_PAX_REFCOUNT
56805 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
56807 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
56809 + return (long)atomic64_inc_return_unchecked(v);
56813 static inline long atomic_long_dec_return(atomic_long_t *l)
56815 atomic64_t *v = (atomic64_t *)l;
56816 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
56818 typedef atomic_t atomic_long_t;
56820 +#ifdef CONFIG_PAX_REFCOUNT
56821 +typedef atomic_unchecked_t atomic_long_unchecked_t;
56823 +typedef atomic_t atomic_long_unchecked_t;
56826 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
56827 static inline long atomic_long_read(atomic_long_t *l)
56829 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
56830 return (long)atomic_read(v);
56833 +#ifdef CONFIG_PAX_REFCOUNT
56834 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
56836 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56838 + return (long)atomic_read_unchecked(v);
56842 static inline void atomic_long_set(atomic_long_t *l, long i)
56844 atomic_t *v = (atomic_t *)l;
56845 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
56849 +#ifdef CONFIG_PAX_REFCOUNT
56850 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
56852 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56854 + atomic_set_unchecked(v, i);
56858 static inline void atomic_long_inc(atomic_long_t *l)
56860 atomic_t *v = (atomic_t *)l;
56861 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
56865 +#ifdef CONFIG_PAX_REFCOUNT
56866 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
56868 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56870 + atomic_inc_unchecked(v);
56874 static inline void atomic_long_dec(atomic_long_t *l)
56876 atomic_t *v = (atomic_t *)l;
56877 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
56881 +#ifdef CONFIG_PAX_REFCOUNT
56882 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
56884 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56886 + atomic_dec_unchecked(v);
56890 static inline void atomic_long_add(long i, atomic_long_t *l)
56892 atomic_t *v = (atomic_t *)l;
56893 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
56897 +#ifdef CONFIG_PAX_REFCOUNT
56898 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
56900 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56902 + atomic_add_unchecked(i, v);
56906 static inline void atomic_long_sub(long i, atomic_long_t *l)
56908 atomic_t *v = (atomic_t *)l;
56909 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
56910 return (long)atomic_inc_return(v);
56913 +#ifdef CONFIG_PAX_REFCOUNT
56914 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
56916 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
56918 + return (long)atomic_inc_return_unchecked(v);
56922 static inline long atomic_long_dec_return(atomic_long_t *l)
56924 atomic_t *v = (atomic_t *)l;
56925 @@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
56927 #endif /* BITS_PER_LONG == 64 */
56929 +#ifdef CONFIG_PAX_REFCOUNT
56930 +static inline void pax_refcount_needs_these_functions(void)
56932 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
56933 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
56934 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
56935 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
56936 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
56937 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
56938 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
56939 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
56940 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
56941 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
56942 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
56944 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
56945 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
56946 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
56947 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
56948 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
56949 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
56952 +#define atomic_read_unchecked(v) atomic_read(v)
56953 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
56954 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
56955 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
56956 +#define atomic_inc_unchecked(v) atomic_inc(v)
56957 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
56958 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
56959 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
56960 +#define atomic_dec_unchecked(v) atomic_dec(v)
56961 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
56962 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
56964 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
56965 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
56966 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
56967 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
56968 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
56969 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
56972 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
56973 diff -urNp linux-2.6.32.43/include/asm-generic/cache.h linux-2.6.32.43/include/asm-generic/cache.h
56974 --- linux-2.6.32.43/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400
56975 +++ linux-2.6.32.43/include/asm-generic/cache.h 2011-07-06 19:53:33.000000000 -0400
56977 * cache lines need to provide their own cache.h.
56980 -#define L1_CACHE_SHIFT 5
56981 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
56982 +#define L1_CACHE_SHIFT 5UL
56983 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
56985 #endif /* __ASM_GENERIC_CACHE_H */
56986 diff -urNp linux-2.6.32.43/include/asm-generic/dma-mapping-common.h linux-2.6.32.43/include/asm-generic/dma-mapping-common.h
56987 --- linux-2.6.32.43/include/asm-generic/dma-mapping-common.h 2011-03-27 14:31:47.000000000 -0400
56988 +++ linux-2.6.32.43/include/asm-generic/dma-mapping-common.h 2011-04-17 15:56:46.000000000 -0400
56989 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
56990 enum dma_data_direction dir,
56991 struct dma_attrs *attrs)
56993 - struct dma_map_ops *ops = get_dma_ops(dev);
56994 + const struct dma_map_ops *ops = get_dma_ops(dev);
56997 kmemcheck_mark_initialized(ptr, size);
56998 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
56999 enum dma_data_direction dir,
57000 struct dma_attrs *attrs)
57002 - struct dma_map_ops *ops = get_dma_ops(dev);
57003 + const struct dma_map_ops *ops = get_dma_ops(dev);
57005 BUG_ON(!valid_dma_direction(dir));
57006 if (ops->unmap_page)
57007 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
57008 int nents, enum dma_data_direction dir,
57009 struct dma_attrs *attrs)
57011 - struct dma_map_ops *ops = get_dma_ops(dev);
57012 + const struct dma_map_ops *ops = get_dma_ops(dev);
57014 struct scatterlist *s;
57016 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
57017 int nents, enum dma_data_direction dir,
57018 struct dma_attrs *attrs)
57020 - struct dma_map_ops *ops = get_dma_ops(dev);
57021 + const struct dma_map_ops *ops = get_dma_ops(dev);
57023 BUG_ON(!valid_dma_direction(dir));
57024 debug_dma_unmap_sg(dev, sg, nents, dir);
57025 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
57026 size_t offset, size_t size,
57027 enum dma_data_direction dir)
57029 - struct dma_map_ops *ops = get_dma_ops(dev);
57030 + const struct dma_map_ops *ops = get_dma_ops(dev);
57033 kmemcheck_mark_initialized(page_address(page) + offset, size);
57034 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
57035 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
57036 size_t size, enum dma_data_direction dir)
57038 - struct dma_map_ops *ops = get_dma_ops(dev);
57039 + const struct dma_map_ops *ops = get_dma_ops(dev);
57041 BUG_ON(!valid_dma_direction(dir));
57042 if (ops->unmap_page)
57043 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
57045 enum dma_data_direction dir)
57047 - struct dma_map_ops *ops = get_dma_ops(dev);
57048 + const struct dma_map_ops *ops = get_dma_ops(dev);
57050 BUG_ON(!valid_dma_direction(dir));
57051 if (ops->sync_single_for_cpu)
57052 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
57053 dma_addr_t addr, size_t size,
57054 enum dma_data_direction dir)
57056 - struct dma_map_ops *ops = get_dma_ops(dev);
57057 + const struct dma_map_ops *ops = get_dma_ops(dev);
57059 BUG_ON(!valid_dma_direction(dir));
57060 if (ops->sync_single_for_device)
57061 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
57063 enum dma_data_direction dir)
57065 - struct dma_map_ops *ops = get_dma_ops(dev);
57066 + const struct dma_map_ops *ops = get_dma_ops(dev);
57068 BUG_ON(!valid_dma_direction(dir));
57069 if (ops->sync_single_range_for_cpu) {
57070 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
57072 enum dma_data_direction dir)
57074 - struct dma_map_ops *ops = get_dma_ops(dev);
57075 + const struct dma_map_ops *ops = get_dma_ops(dev);
57077 BUG_ON(!valid_dma_direction(dir));
57078 if (ops->sync_single_range_for_device) {
57079 @@ -155,7 +155,7 @@ static inline void
57080 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
57081 int nelems, enum dma_data_direction dir)
57083 - struct dma_map_ops *ops = get_dma_ops(dev);
57084 + const struct dma_map_ops *ops = get_dma_ops(dev);
57086 BUG_ON(!valid_dma_direction(dir));
57087 if (ops->sync_sg_for_cpu)
57088 @@ -167,7 +167,7 @@ static inline void
57089 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
57090 int nelems, enum dma_data_direction dir)
57092 - struct dma_map_ops *ops = get_dma_ops(dev);
57093 + const struct dma_map_ops *ops = get_dma_ops(dev);
57095 BUG_ON(!valid_dma_direction(dir));
57096 if (ops->sync_sg_for_device)
57097 diff -urNp linux-2.6.32.43/include/asm-generic/futex.h linux-2.6.32.43/include/asm-generic/futex.h
57098 --- linux-2.6.32.43/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400
57099 +++ linux-2.6.32.43/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400
57101 #include <asm/errno.h>
57104 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
57105 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
57107 int op = (encoded_op >> 28) & 7;
57108 int cmp = (encoded_op >> 24) & 15;
57109 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
57113 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
57114 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
57118 diff -urNp linux-2.6.32.43/include/asm-generic/int-l64.h linux-2.6.32.43/include/asm-generic/int-l64.h
57119 --- linux-2.6.32.43/include/asm-generic/int-l64.h 2011-03-27 14:31:47.000000000 -0400
57120 +++ linux-2.6.32.43/include/asm-generic/int-l64.h 2011-04-17 15:56:46.000000000 -0400
57121 @@ -46,6 +46,8 @@ typedef unsigned int u32;
57122 typedef signed long s64;
57123 typedef unsigned long u64;
57125 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
57128 #define U8_C(x) x ## U
57130 diff -urNp linux-2.6.32.43/include/asm-generic/int-ll64.h linux-2.6.32.43/include/asm-generic/int-ll64.h
57131 --- linux-2.6.32.43/include/asm-generic/int-ll64.h 2011-03-27 14:31:47.000000000 -0400
57132 +++ linux-2.6.32.43/include/asm-generic/int-ll64.h 2011-04-17 15:56:46.000000000 -0400
57133 @@ -51,6 +51,8 @@ typedef unsigned int u32;
57134 typedef signed long long s64;
57135 typedef unsigned long long u64;
57137 +typedef unsigned long long intoverflow_t;
57140 #define U8_C(x) x ## U
57142 diff -urNp linux-2.6.32.43/include/asm-generic/kmap_types.h linux-2.6.32.43/include/asm-generic/kmap_types.h
57143 --- linux-2.6.32.43/include/asm-generic/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
57144 +++ linux-2.6.32.43/include/asm-generic/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
57145 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
57146 KMAP_D(16) KM_IRQ_PTE,
57148 KMAP_D(18) KM_NMI_PTE,
57149 -KMAP_D(19) KM_TYPE_NR
57150 +KMAP_D(19) KM_CLEARPAGE,
57151 +KMAP_D(20) KM_TYPE_NR
57155 diff -urNp linux-2.6.32.43/include/asm-generic/pgtable.h linux-2.6.32.43/include/asm-generic/pgtable.h
57156 --- linux-2.6.32.43/include/asm-generic/pgtable.h 2011-03-27 14:31:47.000000000 -0400
57157 +++ linux-2.6.32.43/include/asm-generic/pgtable.h 2011-04-17 15:56:46.000000000 -0400
57158 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
57159 unsigned long size);
57162 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
57163 +static inline unsigned long pax_open_kernel(void) { return 0; }
57166 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
57167 +static inline unsigned long pax_close_kernel(void) { return 0; }
57170 #endif /* !__ASSEMBLY__ */
57172 #endif /* _ASM_GENERIC_PGTABLE_H */
57173 diff -urNp linux-2.6.32.43/include/asm-generic/pgtable-nopmd.h linux-2.6.32.43/include/asm-generic/pgtable-nopmd.h
57174 --- linux-2.6.32.43/include/asm-generic/pgtable-nopmd.h 2011-03-27 14:31:47.000000000 -0400
57175 +++ linux-2.6.32.43/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:56:46.000000000 -0400
57177 #ifndef _PGTABLE_NOPMD_H
57178 #define _PGTABLE_NOPMD_H
57180 -#ifndef __ASSEMBLY__
57182 #include <asm-generic/pgtable-nopud.h>
57186 #define __PAGETABLE_PMD_FOLDED
57188 +#define PMD_SHIFT PUD_SHIFT
57189 +#define PTRS_PER_PMD 1
57190 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
57191 +#define PMD_MASK (~(PMD_SIZE-1))
57193 +#ifndef __ASSEMBLY__
57198 * Having the pmd type consist of a pud gets the size right, and allows
57199 * us to conceptually access the pud entry that this pmd is folded into
57200 @@ -16,11 +21,6 @@ struct mm_struct;
57202 typedef struct { pud_t pud; } pmd_t;
57204 -#define PMD_SHIFT PUD_SHIFT
57205 -#define PTRS_PER_PMD 1
57206 -#define PMD_SIZE (1UL << PMD_SHIFT)
57207 -#define PMD_MASK (~(PMD_SIZE-1))
57210 * The "pud_xxx()" functions here are trivial for a folded two-level
57211 * setup: the pmd is never bad, and a pmd always exists (as it's folded
57212 diff -urNp linux-2.6.32.43/include/asm-generic/pgtable-nopud.h linux-2.6.32.43/include/asm-generic/pgtable-nopud.h
57213 --- linux-2.6.32.43/include/asm-generic/pgtable-nopud.h 2011-03-27 14:31:47.000000000 -0400
57214 +++ linux-2.6.32.43/include/asm-generic/pgtable-nopud.h 2011-04-17 15:56:46.000000000 -0400
57216 #ifndef _PGTABLE_NOPUD_H
57217 #define _PGTABLE_NOPUD_H
57219 -#ifndef __ASSEMBLY__
57221 #define __PAGETABLE_PUD_FOLDED
57223 +#define PUD_SHIFT PGDIR_SHIFT
57224 +#define PTRS_PER_PUD 1
57225 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
57226 +#define PUD_MASK (~(PUD_SIZE-1))
57228 +#ifndef __ASSEMBLY__
57231 * Having the pud type consist of a pgd gets the size right, and allows
57232 * us to conceptually access the pgd entry that this pud is folded into
57235 typedef struct { pgd_t pgd; } pud_t;
57237 -#define PUD_SHIFT PGDIR_SHIFT
57238 -#define PTRS_PER_PUD 1
57239 -#define PUD_SIZE (1UL << PUD_SHIFT)
57240 -#define PUD_MASK (~(PUD_SIZE-1))
57243 * The "pgd_xxx()" functions here are trivial for a folded two-level
57244 * setup: the pud is never bad, and a pud always exists (as it's folded
57245 diff -urNp linux-2.6.32.43/include/asm-generic/vmlinux.lds.h linux-2.6.32.43/include/asm-generic/vmlinux.lds.h
57246 --- linux-2.6.32.43/include/asm-generic/vmlinux.lds.h 2011-03-27 14:31:47.000000000 -0400
57247 +++ linux-2.6.32.43/include/asm-generic/vmlinux.lds.h 2011-04-17 15:56:46.000000000 -0400
57248 @@ -199,6 +199,7 @@
57249 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
57250 VMLINUX_SYMBOL(__start_rodata) = .; \
57251 *(.rodata) *(.rodata.*) \
57252 + *(.data.read_only) \
57253 *(__vermagic) /* Kernel version magic */ \
57254 *(__markers_strings) /* Markers: strings */ \
57255 *(__tracepoints_strings)/* Tracepoints: strings */ \
57256 @@ -656,22 +657,24 @@
57257 * section in the linker script will go there too. @phdr should have
57260 - * Note that this macros defines __per_cpu_load as an absolute symbol.
57261 + * Note that this macros defines per_cpu_load as an absolute symbol.
57262 * If there is no need to put the percpu section at a predetermined
57263 * address, use PERCPU().
57265 #define PERCPU_VADDR(vaddr, phdr) \
57266 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
57267 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
57268 + per_cpu_load = .; \
57269 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
57271 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
57272 VMLINUX_SYMBOL(__per_cpu_start) = .; \
57273 *(.data.percpu.first) \
57274 - *(.data.percpu.page_aligned) \
57276 + . = ALIGN(PAGE_SIZE); \
57277 + *(.data.percpu.page_aligned) \
57278 *(.data.percpu.shared_aligned) \
57279 VMLINUX_SYMBOL(__per_cpu_end) = .; \
57281 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
57282 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
57285 * PERCPU - define output section for percpu area, simple version
57286 diff -urNp linux-2.6.32.43/include/drm/drm_crtc_helper.h linux-2.6.32.43/include/drm/drm_crtc_helper.h
57287 --- linux-2.6.32.43/include/drm/drm_crtc_helper.h 2011-03-27 14:31:47.000000000 -0400
57288 +++ linux-2.6.32.43/include/drm/drm_crtc_helper.h 2011-08-05 20:33:55.000000000 -0400
57289 @@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
57291 /* reload the current crtc LUT */
57292 void (*load_lut)(struct drm_crtc *crtc);
57296 struct drm_encoder_helper_funcs {
57297 void (*dpms)(struct drm_encoder *encoder, int mode);
57298 @@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
57299 struct drm_connector *connector);
57300 /* disable encoder when not in use - more explicit than dpms off */
57301 void (*disable)(struct drm_encoder *encoder);
57305 struct drm_connector_helper_funcs {
57306 int (*get_modes)(struct drm_connector *connector);
57307 diff -urNp linux-2.6.32.43/include/drm/drmP.h linux-2.6.32.43/include/drm/drmP.h
57308 --- linux-2.6.32.43/include/drm/drmP.h 2011-03-27 14:31:47.000000000 -0400
57309 +++ linux-2.6.32.43/include/drm/drmP.h 2011-04-17 15:56:46.000000000 -0400
57311 #include <linux/workqueue.h>
57312 #include <linux/poll.h>
57313 #include <asm/pgalloc.h>
57314 +#include <asm/local.h>
57317 #include <linux/idr.h>
57318 @@ -814,7 +815,7 @@ struct drm_driver {
57319 void (*vgaarb_irq)(struct drm_device *dev, bool state);
57321 /* Driver private ops for this object */
57322 - struct vm_operations_struct *gem_vm_ops;
57323 + const struct vm_operations_struct *gem_vm_ops;
57327 @@ -917,7 +918,7 @@ struct drm_device {
57329 /** \name Usage Counters */
57331 - int open_count; /**< Outstanding files open */
57332 + local_t open_count; /**< Outstanding files open */
57333 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
57334 atomic_t vma_count; /**< Outstanding vma areas open */
57335 int buf_use; /**< Buffers in use -- cannot alloc */
57336 @@ -928,7 +929,7 @@ struct drm_device {
57338 unsigned long counters;
57339 enum drm_stat_type types[15];
57340 - atomic_t counts[15];
57341 + atomic_unchecked_t counts[15];
57344 struct list_head filelist;
57345 @@ -1016,7 +1017,7 @@ struct drm_device {
57346 struct pci_controller *hose;
57348 struct drm_sg_mem *sg; /**< Scatter gather memory */
57349 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
57350 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
57351 void *dev_private; /**< device private data */
57353 struct address_space *dev_mapping;
57354 @@ -1042,11 +1043,11 @@ struct drm_device {
57355 spinlock_t object_name_lock;
57356 struct idr object_name_idr;
57357 atomic_t object_count;
57358 - atomic_t object_memory;
57359 + atomic_unchecked_t object_memory;
57360 atomic_t pin_count;
57361 - atomic_t pin_memory;
57362 + atomic_unchecked_t pin_memory;
57363 atomic_t gtt_count;
57364 - atomic_t gtt_memory;
57365 + atomic_unchecked_t gtt_memory;
57366 uint32_t gtt_total;
57367 uint32_t invalidate_domains; /* domains pending invalidation */
57368 uint32_t flush_domains; /* domains pending flush */
57369 diff -urNp linux-2.6.32.43/include/drm/ttm/ttm_memory.h linux-2.6.32.43/include/drm/ttm/ttm_memory.h
57370 --- linux-2.6.32.43/include/drm/ttm/ttm_memory.h 2011-03-27 14:31:47.000000000 -0400
57371 +++ linux-2.6.32.43/include/drm/ttm/ttm_memory.h 2011-08-05 20:33:55.000000000 -0400
57374 struct ttm_mem_shrink {
57375 int (*do_shrink) (struct ttm_mem_shrink *);
57380 * struct ttm_mem_global - Global memory accounting structure.
57381 diff -urNp linux-2.6.32.43/include/linux/a.out.h linux-2.6.32.43/include/linux/a.out.h
57382 --- linux-2.6.32.43/include/linux/a.out.h 2011-03-27 14:31:47.000000000 -0400
57383 +++ linux-2.6.32.43/include/linux/a.out.h 2011-04-17 15:56:46.000000000 -0400
57384 @@ -39,6 +39,14 @@ enum machine_type {
57385 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
57388 +/* Constants for the N_FLAGS field */
57389 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57390 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
57391 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
57392 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
57393 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57394 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57396 #if !defined (N_MAGIC)
57397 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
57399 diff -urNp linux-2.6.32.43/include/linux/atmdev.h linux-2.6.32.43/include/linux/atmdev.h
57400 --- linux-2.6.32.43/include/linux/atmdev.h 2011-03-27 14:31:47.000000000 -0400
57401 +++ linux-2.6.32.43/include/linux/atmdev.h 2011-04-17 15:56:46.000000000 -0400
57402 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
57405 struct k_atm_aal_stats {
57406 -#define __HANDLE_ITEM(i) atomic_t i
57407 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
57409 #undef __HANDLE_ITEM
57411 diff -urNp linux-2.6.32.43/include/linux/backlight.h linux-2.6.32.43/include/linux/backlight.h
57412 --- linux-2.6.32.43/include/linux/backlight.h 2011-03-27 14:31:47.000000000 -0400
57413 +++ linux-2.6.32.43/include/linux/backlight.h 2011-04-17 15:56:46.000000000 -0400
57414 @@ -36,18 +36,18 @@ struct backlight_device;
57417 struct backlight_ops {
57418 - unsigned int options;
57419 + const unsigned int options;
57421 #define BL_CORE_SUSPENDRESUME (1 << 0)
57423 /* Notify the backlight driver some property has changed */
57424 - int (*update_status)(struct backlight_device *);
57425 + int (* const update_status)(struct backlight_device *);
57426 /* Return the current backlight brightness (accounting for power,
57428 - int (*get_brightness)(struct backlight_device *);
57429 + int (* const get_brightness)(struct backlight_device *);
57430 /* Check if given framebuffer device is the one bound to this backlight;
57431 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
57432 - int (*check_fb)(struct fb_info *);
57433 + int (* const check_fb)(struct fb_info *);
57436 /* This structure defines all the properties of a backlight */
57437 @@ -86,7 +86,7 @@ struct backlight_device {
57438 registered this device has been unloaded, and if class_get_devdata()
57439 points to something in the body of that driver, it is also invalid. */
57440 struct mutex ops_lock;
57441 - struct backlight_ops *ops;
57442 + const struct backlight_ops *ops;
57444 /* The framebuffer notifier block */
57445 struct notifier_block fb_notif;
57446 @@ -103,7 +103,7 @@ static inline void backlight_update_stat
57449 extern struct backlight_device *backlight_device_register(const char *name,
57450 - struct device *dev, void *devdata, struct backlight_ops *ops);
57451 + struct device *dev, void *devdata, const struct backlight_ops *ops);
57452 extern void backlight_device_unregister(struct backlight_device *bd);
57453 extern void backlight_force_update(struct backlight_device *bd,
57454 enum backlight_update_reason reason);
57455 diff -urNp linux-2.6.32.43/include/linux/binfmts.h linux-2.6.32.43/include/linux/binfmts.h
57456 --- linux-2.6.32.43/include/linux/binfmts.h 2011-04-17 17:00:52.000000000 -0400
57457 +++ linux-2.6.32.43/include/linux/binfmts.h 2011-04-17 15:56:46.000000000 -0400
57458 @@ -83,6 +83,7 @@ struct linux_binfmt {
57459 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
57460 int (*load_shlib)(struct file *);
57461 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
57462 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
57463 unsigned long min_coredump; /* minimal dump size */
57466 diff -urNp linux-2.6.32.43/include/linux/blkdev.h linux-2.6.32.43/include/linux/blkdev.h
57467 --- linux-2.6.32.43/include/linux/blkdev.h 2011-03-27 14:31:47.000000000 -0400
57468 +++ linux-2.6.32.43/include/linux/blkdev.h 2011-04-17 15:56:46.000000000 -0400
57469 @@ -1265,19 +1265,19 @@ static inline int blk_integrity_rq(struc
57470 #endif /* CONFIG_BLK_DEV_INTEGRITY */
57472 struct block_device_operations {
57473 - int (*open) (struct block_device *, fmode_t);
57474 - int (*release) (struct gendisk *, fmode_t);
57475 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57476 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57477 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57478 - int (*direct_access) (struct block_device *, sector_t,
57479 + int (* const open) (struct block_device *, fmode_t);
57480 + int (* const release) (struct gendisk *, fmode_t);
57481 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57482 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57483 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
57484 + int (* const direct_access) (struct block_device *, sector_t,
57485 void **, unsigned long *);
57486 - int (*media_changed) (struct gendisk *);
57487 - unsigned long long (*set_capacity) (struct gendisk *,
57488 + int (* const media_changed) (struct gendisk *);
57489 + unsigned long long (* const set_capacity) (struct gendisk *,
57490 unsigned long long);
57491 - int (*revalidate_disk) (struct gendisk *);
57492 - int (*getgeo)(struct block_device *, struct hd_geometry *);
57493 - struct module *owner;
57494 + int (* const revalidate_disk) (struct gendisk *);
57495 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
57496 + struct module * const owner;
57499 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
57500 diff -urNp linux-2.6.32.43/include/linux/blktrace_api.h linux-2.6.32.43/include/linux/blktrace_api.h
57501 --- linux-2.6.32.43/include/linux/blktrace_api.h 2011-03-27 14:31:47.000000000 -0400
57502 +++ linux-2.6.32.43/include/linux/blktrace_api.h 2011-05-04 17:56:28.000000000 -0400
57503 @@ -160,7 +160,7 @@ struct blk_trace {
57504 struct dentry *dir;
57505 struct dentry *dropped_file;
57506 struct dentry *msg_file;
57507 - atomic_t dropped;
57508 + atomic_unchecked_t dropped;
57511 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
57512 diff -urNp linux-2.6.32.43/include/linux/byteorder/little_endian.h linux-2.6.32.43/include/linux/byteorder/little_endian.h
57513 --- linux-2.6.32.43/include/linux/byteorder/little_endian.h 2011-03-27 14:31:47.000000000 -0400
57514 +++ linux-2.6.32.43/include/linux/byteorder/little_endian.h 2011-04-17 15:56:46.000000000 -0400
57515 @@ -42,51 +42,51 @@
57517 static inline __le64 __cpu_to_le64p(const __u64 *p)
57519 - return (__force __le64)*p;
57520 + return (__force const __le64)*p;
57522 static inline __u64 __le64_to_cpup(const __le64 *p)
57524 - return (__force __u64)*p;
57525 + return (__force const __u64)*p;
57527 static inline __le32 __cpu_to_le32p(const __u32 *p)
57529 - return (__force __le32)*p;
57530 + return (__force const __le32)*p;
57532 static inline __u32 __le32_to_cpup(const __le32 *p)
57534 - return (__force __u32)*p;
57535 + return (__force const __u32)*p;
57537 static inline __le16 __cpu_to_le16p(const __u16 *p)
57539 - return (__force __le16)*p;
57540 + return (__force const __le16)*p;
57542 static inline __u16 __le16_to_cpup(const __le16 *p)
57544 - return (__force __u16)*p;
57545 + return (__force const __u16)*p;
57547 static inline __be64 __cpu_to_be64p(const __u64 *p)
57549 - return (__force __be64)__swab64p(p);
57550 + return (__force const __be64)__swab64p(p);
57552 static inline __u64 __be64_to_cpup(const __be64 *p)
57554 - return __swab64p((__u64 *)p);
57555 + return __swab64p((const __u64 *)p);
57557 static inline __be32 __cpu_to_be32p(const __u32 *p)
57559 - return (__force __be32)__swab32p(p);
57560 + return (__force const __be32)__swab32p(p);
57562 static inline __u32 __be32_to_cpup(const __be32 *p)
57564 - return __swab32p((__u32 *)p);
57565 + return __swab32p((const __u32 *)p);
57567 static inline __be16 __cpu_to_be16p(const __u16 *p)
57569 - return (__force __be16)__swab16p(p);
57570 + return (__force const __be16)__swab16p(p);
57572 static inline __u16 __be16_to_cpup(const __be16 *p)
57574 - return __swab16p((__u16 *)p);
57575 + return __swab16p((const __u16 *)p);
57577 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
57578 #define __le64_to_cpus(x) do { (void)(x); } while (0)
57579 diff -urNp linux-2.6.32.43/include/linux/cache.h linux-2.6.32.43/include/linux/cache.h
57580 --- linux-2.6.32.43/include/linux/cache.h 2011-03-27 14:31:47.000000000 -0400
57581 +++ linux-2.6.32.43/include/linux/cache.h 2011-04-17 15:56:46.000000000 -0400
57583 #define __read_mostly
57586 +#ifndef __read_only
57587 +#define __read_only __read_mostly
57590 #ifndef ____cacheline_aligned
57591 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
57593 diff -urNp linux-2.6.32.43/include/linux/capability.h linux-2.6.32.43/include/linux/capability.h
57594 --- linux-2.6.32.43/include/linux/capability.h 2011-03-27 14:31:47.000000000 -0400
57595 +++ linux-2.6.32.43/include/linux/capability.h 2011-04-17 15:56:46.000000000 -0400
57596 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
57597 (security_real_capable_noaudit((t), (cap)) == 0)
57599 extern int capable(int cap);
57600 +int capable_nolog(int cap);
57602 /* audit system wants to get cap info from files as well */
57604 diff -urNp linux-2.6.32.43/include/linux/compiler-gcc4.h linux-2.6.32.43/include/linux/compiler-gcc4.h
57605 --- linux-2.6.32.43/include/linux/compiler-gcc4.h 2011-03-27 14:31:47.000000000 -0400
57606 +++ linux-2.6.32.43/include/linux/compiler-gcc4.h 2011-08-05 20:33:55.000000000 -0400
57608 the kernel context */
57609 #define __cold __attribute__((__cold__))
57611 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
57612 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
57613 +#define __bos0(ptr) __bos((ptr), 0)
57614 +#define __bos1(ptr) __bos((ptr), 1)
57616 +#if __GNUC_MINOR__ >= 5
57617 +#define __no_const __attribute__((no_const))
57621 diff -urNp linux-2.6.32.43/include/linux/compiler.h linux-2.6.32.43/include/linux/compiler.h
57622 --- linux-2.6.32.43/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400
57623 +++ linux-2.6.32.43/include/linux/compiler.h 2011-08-05 20:33:55.000000000 -0400
57624 @@ -247,6 +247,10 @@ void ftrace_likely_update(struct ftrace_
57625 # define __attribute_const__ /* unimplemented */
57628 +#ifndef __no_const
57629 +# define __no_const
57633 * Tell gcc if a function is cold. The compiler will assume any path
57634 * directly leading to the call is unlikely.
57635 @@ -256,6 +260,22 @@ void ftrace_likely_update(struct ftrace_
57639 +#ifndef __alloc_size
57640 +#define __alloc_size(...)
57644 +#define __bos(ptr, arg)
57648 +#define __bos0(ptr)
57652 +#define __bos1(ptr)
57655 /* Simple shorthand for a section definition */
57657 # define __section(S) __attribute__ ((__section__(#S)))
57658 @@ -278,6 +298,7 @@ void ftrace_likely_update(struct ftrace_
57659 * use is to mediate communication between process-level code and irq/NMI
57660 * handlers, all running on the same CPU.
57662 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
57663 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
57664 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
57666 #endif /* __LINUX_COMPILER_H */
57667 diff -urNp linux-2.6.32.43/include/linux/crypto.h linux-2.6.32.43/include/linux/crypto.h
57668 --- linux-2.6.32.43/include/linux/crypto.h 2011-03-27 14:31:47.000000000 -0400
57669 +++ linux-2.6.32.43/include/linux/crypto.h 2011-08-05 20:33:55.000000000 -0400
57670 @@ -394,7 +394,7 @@ struct cipher_tfm {
57671 const u8 *key, unsigned int keylen);
57672 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57673 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
57678 int (*init)(struct hash_desc *desc);
57679 @@ -415,13 +415,13 @@ struct compress_tfm {
57680 int (*cot_decompress)(struct crypto_tfm *tfm,
57681 const u8 *src, unsigned int slen,
57682 u8 *dst, unsigned int *dlen);
57687 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
57688 unsigned int dlen);
57689 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
57693 #define crt_ablkcipher crt_u.ablkcipher
57694 #define crt_aead crt_u.aead
57695 diff -urNp linux-2.6.32.43/include/linux/dcache.h linux-2.6.32.43/include/linux/dcache.h
57696 --- linux-2.6.32.43/include/linux/dcache.h 2011-03-27 14:31:47.000000000 -0400
57697 +++ linux-2.6.32.43/include/linux/dcache.h 2011-04-23 13:34:46.000000000 -0400
57698 @@ -119,6 +119,8 @@ struct dentry {
57699 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
57702 +#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
57705 * dentry->d_lock spinlock nesting subclasses:
57707 diff -urNp linux-2.6.32.43/include/linux/decompress/mm.h linux-2.6.32.43/include/linux/decompress/mm.h
57708 --- linux-2.6.32.43/include/linux/decompress/mm.h 2011-03-27 14:31:47.000000000 -0400
57709 +++ linux-2.6.32.43/include/linux/decompress/mm.h 2011-04-17 15:56:46.000000000 -0400
57710 @@ -78,7 +78,7 @@ static void free(void *where)
57711 * warnings when not needed (indeed large_malloc / large_free are not
57712 * needed by inflate */
57714 -#define malloc(a) kmalloc(a, GFP_KERNEL)
57715 +#define malloc(a) kmalloc((a), GFP_KERNEL)
57716 #define free(a) kfree(a)
57718 #define large_malloc(a) vmalloc(a)
57719 diff -urNp linux-2.6.32.43/include/linux/dma-mapping.h linux-2.6.32.43/include/linux/dma-mapping.h
57720 --- linux-2.6.32.43/include/linux/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
57721 +++ linux-2.6.32.43/include/linux/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
57722 @@ -16,50 +16,50 @@ enum dma_data_direction {
57725 struct dma_map_ops {
57726 - void* (*alloc_coherent)(struct device *dev, size_t size,
57727 + void* (* const alloc_coherent)(struct device *dev, size_t size,
57728 dma_addr_t *dma_handle, gfp_t gfp);
57729 - void (*free_coherent)(struct device *dev, size_t size,
57730 + void (* const free_coherent)(struct device *dev, size_t size,
57731 void *vaddr, dma_addr_t dma_handle);
57732 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
57733 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
57734 unsigned long offset, size_t size,
57735 enum dma_data_direction dir,
57736 struct dma_attrs *attrs);
57737 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
57738 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
57739 size_t size, enum dma_data_direction dir,
57740 struct dma_attrs *attrs);
57741 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
57742 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
57743 int nents, enum dma_data_direction dir,
57744 struct dma_attrs *attrs);
57745 - void (*unmap_sg)(struct device *dev,
57746 + void (* const unmap_sg)(struct device *dev,
57747 struct scatterlist *sg, int nents,
57748 enum dma_data_direction dir,
57749 struct dma_attrs *attrs);
57750 - void (*sync_single_for_cpu)(struct device *dev,
57751 + void (* const sync_single_for_cpu)(struct device *dev,
57752 dma_addr_t dma_handle, size_t size,
57753 enum dma_data_direction dir);
57754 - void (*sync_single_for_device)(struct device *dev,
57755 + void (* const sync_single_for_device)(struct device *dev,
57756 dma_addr_t dma_handle, size_t size,
57757 enum dma_data_direction dir);
57758 - void (*sync_single_range_for_cpu)(struct device *dev,
57759 + void (* const sync_single_range_for_cpu)(struct device *dev,
57760 dma_addr_t dma_handle,
57761 unsigned long offset,
57763 enum dma_data_direction dir);
57764 - void (*sync_single_range_for_device)(struct device *dev,
57765 + void (* const sync_single_range_for_device)(struct device *dev,
57766 dma_addr_t dma_handle,
57767 unsigned long offset,
57769 enum dma_data_direction dir);
57770 - void (*sync_sg_for_cpu)(struct device *dev,
57771 + void (* const sync_sg_for_cpu)(struct device *dev,
57772 struct scatterlist *sg, int nents,
57773 enum dma_data_direction dir);
57774 - void (*sync_sg_for_device)(struct device *dev,
57775 + void (* const sync_sg_for_device)(struct device *dev,
57776 struct scatterlist *sg, int nents,
57777 enum dma_data_direction dir);
57778 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
57779 - int (*dma_supported)(struct device *dev, u64 mask);
57780 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
57781 + int (* const dma_supported)(struct device *dev, u64 mask);
57782 int (*set_dma_mask)(struct device *dev, u64 mask);
57784 + const int is_phys;
57787 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
57788 diff -urNp linux-2.6.32.43/include/linux/dst.h linux-2.6.32.43/include/linux/dst.h
57789 --- linux-2.6.32.43/include/linux/dst.h 2011-03-27 14:31:47.000000000 -0400
57790 +++ linux-2.6.32.43/include/linux/dst.h 2011-04-17 15:56:46.000000000 -0400
57791 @@ -380,7 +380,7 @@ struct dst_node
57792 struct thread_pool *pool;
57794 /* Transaction IDs live here */
57795 - atomic_long_t gen;
57796 + atomic_long_unchecked_t gen;
57799 * How frequently and how many times transaction
57800 diff -urNp linux-2.6.32.43/include/linux/elf.h linux-2.6.32.43/include/linux/elf.h
57801 --- linux-2.6.32.43/include/linux/elf.h 2011-03-27 14:31:47.000000000 -0400
57802 +++ linux-2.6.32.43/include/linux/elf.h 2011-04-17 15:56:46.000000000 -0400
57803 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
57804 #define PT_GNU_EH_FRAME 0x6474e550
57806 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
57807 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
57809 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
57811 +/* Constants for the e_flags field */
57812 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
57813 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
57814 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
57815 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
57816 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
57817 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
57819 /* These constants define the different elf file types */
57821 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
57822 #define DT_DEBUG 21
57823 #define DT_TEXTREL 22
57824 #define DT_JMPREL 23
57825 +#define DT_FLAGS 30
57826 + #define DF_TEXTREL 0x00000004
57827 #define DT_ENCODING 32
57828 #define OLD_DT_LOOS 0x60000000
57829 #define DT_LOOS 0x6000000d
57830 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
57834 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
57835 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
57836 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
57837 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
57838 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
57839 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
57840 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
57841 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
57842 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
57843 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
57844 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
57845 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
57847 typedef struct elf32_phdr{
57849 Elf32_Off p_offset;
57850 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
57856 #define ELFMAG0 0x7f /* EI_MAG */
57857 #define ELFMAG1 'E'
57858 #define ELFMAG2 'L'
57859 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
57860 #define elf_phdr elf32_phdr
57861 #define elf_note elf32_note
57862 #define elf_addr_t Elf32_Off
57863 +#define elf_dyn Elf32_Dyn
57867 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
57868 #define elf_phdr elf64_phdr
57869 #define elf_note elf64_note
57870 #define elf_addr_t Elf64_Off
57871 +#define elf_dyn Elf64_Dyn
57875 diff -urNp linux-2.6.32.43/include/linux/fscache-cache.h linux-2.6.32.43/include/linux/fscache-cache.h
57876 --- linux-2.6.32.43/include/linux/fscache-cache.h 2011-03-27 14:31:47.000000000 -0400
57877 +++ linux-2.6.32.43/include/linux/fscache-cache.h 2011-05-04 17:56:28.000000000 -0400
57878 @@ -116,7 +116,7 @@ struct fscache_operation {
57882 -extern atomic_t fscache_op_debug_id;
57883 +extern atomic_unchecked_t fscache_op_debug_id;
57884 extern const struct slow_work_ops fscache_op_slow_work_ops;
57886 extern void fscache_enqueue_operation(struct fscache_operation *);
57887 @@ -134,7 +134,7 @@ static inline void fscache_operation_ini
57888 fscache_operation_release_t release)
57890 atomic_set(&op->usage, 1);
57891 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
57892 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
57893 op->release = release;
57894 INIT_LIST_HEAD(&op->pend_link);
57895 fscache_set_op_state(op, "Init");
57896 diff -urNp linux-2.6.32.43/include/linux/fs.h linux-2.6.32.43/include/linux/fs.h
57897 --- linux-2.6.32.43/include/linux/fs.h 2011-07-13 17:23:04.000000000 -0400
57898 +++ linux-2.6.32.43/include/linux/fs.h 2011-08-05 20:33:55.000000000 -0400
57899 @@ -90,6 +90,11 @@ struct inodes_stat_t {
57900 /* Expect random access pattern */
57901 #define FMODE_RANDOM ((__force fmode_t)4096)
57903 +/* Hack for grsec so as not to require read permission simply to execute
57906 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
57909 * The below are the various read and write types that we support. Some of
57910 * them include behavioral modifiers that send information down to the
57911 @@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
57912 unsigned long, unsigned long);
57914 struct address_space_operations {
57915 - int (*writepage)(struct page *page, struct writeback_control *wbc);
57916 - int (*readpage)(struct file *, struct page *);
57917 - void (*sync_page)(struct page *);
57918 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
57919 + int (* const readpage)(struct file *, struct page *);
57920 + void (* const sync_page)(struct page *);
57922 /* Write back some dirty pages from this mapping. */
57923 - int (*writepages)(struct address_space *, struct writeback_control *);
57924 + int (* const writepages)(struct address_space *, struct writeback_control *);
57926 /* Set a page dirty. Return true if this dirtied it */
57927 - int (*set_page_dirty)(struct page *page);
57928 + int (* const set_page_dirty)(struct page *page);
57930 - int (*readpages)(struct file *filp, struct address_space *mapping,
57931 + int (* const readpages)(struct file *filp, struct address_space *mapping,
57932 struct list_head *pages, unsigned nr_pages);
57934 - int (*write_begin)(struct file *, struct address_space *mapping,
57935 + int (* const write_begin)(struct file *, struct address_space *mapping,
57936 loff_t pos, unsigned len, unsigned flags,
57937 struct page **pagep, void **fsdata);
57938 - int (*write_end)(struct file *, struct address_space *mapping,
57939 + int (* const write_end)(struct file *, struct address_space *mapping,
57940 loff_t pos, unsigned len, unsigned copied,
57941 struct page *page, void *fsdata);
57943 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
57944 - sector_t (*bmap)(struct address_space *, sector_t);
57945 - void (*invalidatepage) (struct page *, unsigned long);
57946 - int (*releasepage) (struct page *, gfp_t);
57947 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
57948 + sector_t (* const bmap)(struct address_space *, sector_t);
57949 + void (* const invalidatepage) (struct page *, unsigned long);
57950 + int (* const releasepage) (struct page *, gfp_t);
57951 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
57952 loff_t offset, unsigned long nr_segs);
57953 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
57954 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
57955 void **, unsigned long *);
57956 /* migrate the contents of a page to the specified target */
57957 - int (*migratepage) (struct address_space *,
57958 + int (* const migratepage) (struct address_space *,
57959 struct page *, struct page *);
57960 - int (*launder_page) (struct page *);
57961 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
57962 + int (* const launder_page) (struct page *);
57963 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
57965 - int (*error_remove_page)(struct address_space *, struct page *);
57966 + int (* const error_remove_page)(struct address_space *, struct page *);
57970 @@ -1031,19 +1036,19 @@ static inline int file_check_writeable(s
57971 typedef struct files_struct *fl_owner_t;
57973 struct file_lock_operations {
57974 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
57975 - void (*fl_release_private)(struct file_lock *);
57976 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
57977 + void (* const fl_release_private)(struct file_lock *);
57980 struct lock_manager_operations {
57981 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
57982 - void (*fl_notify)(struct file_lock *); /* unblock callback */
57983 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
57984 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
57985 - void (*fl_release_private)(struct file_lock *);
57986 - void (*fl_break)(struct file_lock *);
57987 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
57988 - int (*fl_change)(struct file_lock **, int);
57989 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
57990 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
57991 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
57992 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
57993 + void (* const fl_release_private)(struct file_lock *);
57994 + void (* const fl_break)(struct file_lock *);
57995 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
57996 + int (* const fl_change)(struct file_lock **, int);
57999 struct lock_manager {
58000 @@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
58001 unsigned int fi_flags; /* Flags as passed from user */
58002 unsigned int fi_extents_mapped; /* Number of mapped extents */
58003 unsigned int fi_extents_max; /* Size of fiemap_extent array */
58004 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
58005 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
58008 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
58009 @@ -1486,7 +1491,7 @@ struct block_device_operations;
58010 * can be called without the big kernel lock held in all filesystems.
58012 struct file_operations {
58013 - struct module *owner;
58014 + struct module * const owner;
58015 loff_t (*llseek) (struct file *, loff_t, int);
58016 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
58017 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
58018 @@ -1559,30 +1564,30 @@ extern ssize_t vfs_writev(struct file *,
58019 unsigned long, loff_t *);
58021 struct super_operations {
58022 - struct inode *(*alloc_inode)(struct super_block *sb);
58023 - void (*destroy_inode)(struct inode *);
58024 + struct inode *(* const alloc_inode)(struct super_block *sb);
58025 + void (* const destroy_inode)(struct inode *);
58027 - void (*dirty_inode) (struct inode *);
58028 - int (*write_inode) (struct inode *, int);
58029 - void (*drop_inode) (struct inode *);
58030 - void (*delete_inode) (struct inode *);
58031 - void (*put_super) (struct super_block *);
58032 - void (*write_super) (struct super_block *);
58033 - int (*sync_fs)(struct super_block *sb, int wait);
58034 - int (*freeze_fs) (struct super_block *);
58035 - int (*unfreeze_fs) (struct super_block *);
58036 - int (*statfs) (struct dentry *, struct kstatfs *);
58037 - int (*remount_fs) (struct super_block *, int *, char *);
58038 - void (*clear_inode) (struct inode *);
58039 - void (*umount_begin) (struct super_block *);
58040 + void (* const dirty_inode) (struct inode *);
58041 + int (* const write_inode) (struct inode *, int);
58042 + void (* const drop_inode) (struct inode *);
58043 + void (* const delete_inode) (struct inode *);
58044 + void (* const put_super) (struct super_block *);
58045 + void (* const write_super) (struct super_block *);
58046 + int (* const sync_fs)(struct super_block *sb, int wait);
58047 + int (* const freeze_fs) (struct super_block *);
58048 + int (* const unfreeze_fs) (struct super_block *);
58049 + int (* const statfs) (struct dentry *, struct kstatfs *);
58050 + int (* const remount_fs) (struct super_block *, int *, char *);
58051 + void (* const clear_inode) (struct inode *);
58052 + void (* const umount_begin) (struct super_block *);
58054 - int (*show_options)(struct seq_file *, struct vfsmount *);
58055 - int (*show_stats)(struct seq_file *, struct vfsmount *);
58056 + int (* const show_options)(struct seq_file *, struct vfsmount *);
58057 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
58058 #ifdef CONFIG_QUOTA
58059 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
58060 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
58061 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
58062 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
58064 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
58065 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
58069 diff -urNp linux-2.6.32.43/include/linux/fs_struct.h linux-2.6.32.43/include/linux/fs_struct.h
58070 --- linux-2.6.32.43/include/linux/fs_struct.h 2011-03-27 14:31:47.000000000 -0400
58071 +++ linux-2.6.32.43/include/linux/fs_struct.h 2011-04-17 15:56:46.000000000 -0400
58073 #include <linux/path.h>
58081 diff -urNp linux-2.6.32.43/include/linux/ftrace_event.h linux-2.6.32.43/include/linux/ftrace_event.h
58082 --- linux-2.6.32.43/include/linux/ftrace_event.h 2011-03-27 14:31:47.000000000 -0400
58083 +++ linux-2.6.32.43/include/linux/ftrace_event.h 2011-05-04 17:56:28.000000000 -0400
58084 @@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
58086 extern int trace_define_common_fields(struct ftrace_event_call *call);
58088 -#define is_signed_type(type) (((type)(-1)) < 0)
58089 +#define is_signed_type(type) (((type)(-1)) < (type)1)
58091 int trace_set_clr_event(const char *system, const char *event, int set);
58093 diff -urNp linux-2.6.32.43/include/linux/genhd.h linux-2.6.32.43/include/linux/genhd.h
58094 --- linux-2.6.32.43/include/linux/genhd.h 2011-03-27 14:31:47.000000000 -0400
58095 +++ linux-2.6.32.43/include/linux/genhd.h 2011-04-17 15:56:46.000000000 -0400
58096 @@ -161,7 +161,7 @@ struct gendisk {
58098 struct timer_rand_state *random;
58100 - atomic_t sync_io; /* RAID */
58101 + atomic_unchecked_t sync_io; /* RAID */
58102 struct work_struct async_notify;
58103 #ifdef CONFIG_BLK_DEV_INTEGRITY
58104 struct blk_integrity *integrity;
58105 diff -urNp linux-2.6.32.43/include/linux/gracl.h linux-2.6.32.43/include/linux/gracl.h
58106 --- linux-2.6.32.43/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
58107 +++ linux-2.6.32.43/include/linux/gracl.h 2011-04-17 15:56:46.000000000 -0400
58112 +#include <linux/grdefs.h>
58113 +#include <linux/resource.h>
58114 +#include <linux/capability.h>
58115 +#include <linux/dcache.h>
58116 +#include <asm/resource.h>
58118 +/* Major status information */
58120 +#define GR_VERSION "grsecurity 2.2.2"
58121 +#define GRSECURITY_VERSION 0x2202
58132 + GR_SPROLEPAM = 8,
58135 +/* Password setup definitions
58136 + * kernel/grhash.c */
58139 + GR_SALT_LEN = 16,
58144 + GR_SPROLE_LEN = 64,
58153 +#define GR_NLIMITS 32
58155 +/* Begin Data Structures */
58157 +struct sprole_pw {
58158 + unsigned char *rolename;
58159 + unsigned char salt[GR_SALT_LEN];
58160 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
58163 +struct name_entry {
58170 + struct name_entry *prev;
58171 + struct name_entry *next;
58174 +struct inodev_entry {
58175 + struct name_entry *nentry;
58176 + struct inodev_entry *prev;
58177 + struct inodev_entry *next;
58180 +struct acl_role_db {
58181 + struct acl_role_label **r_hash;
58185 +struct inodev_db {
58186 + struct inodev_entry **i_hash;
58191 + struct name_entry **n_hash;
58195 +struct crash_uid {
58197 + unsigned long expires;
58200 +struct gr_hash_struct {
58202 + void **nametable;
58204 + __u32 table_size;
58209 +/* Userspace Grsecurity ACL data structures */
58211 +struct acl_subject_label {
58216 + kernel_cap_t cap_mask;
58217 + kernel_cap_t cap_lower;
58218 + kernel_cap_t cap_invert_audit;
58220 + struct rlimit res[GR_NLIMITS];
58223 + __u8 user_trans_type;
58224 + __u8 group_trans_type;
58225 + uid_t *user_transitions;
58226 + gid_t *group_transitions;
58227 + __u16 user_trans_num;
58228 + __u16 group_trans_num;
58230 + __u32 sock_families[2];
58231 + __u32 ip_proto[8];
58233 + struct acl_ip_label **ips;
58235 + __u32 inaddr_any_override;
58238 + unsigned long expires;
58240 + struct acl_subject_label *parent_subject;
58241 + struct gr_hash_struct *hash;
58242 + struct acl_subject_label *prev;
58243 + struct acl_subject_label *next;
58245 + struct acl_object_label **obj_hash;
58246 + __u32 obj_hash_size;
58250 +struct role_allowed_ip {
58254 + struct role_allowed_ip *prev;
58255 + struct role_allowed_ip *next;
58258 +struct role_transition {
58261 + struct role_transition *prev;
58262 + struct role_transition *next;
58265 +struct acl_role_label {
58270 + __u16 auth_attempts;
58271 + unsigned long expires;
58273 + struct acl_subject_label *root_label;
58274 + struct gr_hash_struct *hash;
58276 + struct acl_role_label *prev;
58277 + struct acl_role_label *next;
58279 + struct role_transition *transitions;
58280 + struct role_allowed_ip *allowed_ips;
58281 + uid_t *domain_children;
58282 + __u16 domain_child_num;
58284 + struct acl_subject_label **subj_hash;
58285 + __u32 subj_hash_size;
58288 +struct user_acl_role_db {
58289 + struct acl_role_label **r_table;
58290 + __u32 num_pointers; /* Number of allocations to track */
58291 + __u32 num_roles; /* Number of roles */
58292 + __u32 num_domain_children; /* Number of domain children */
58293 + __u32 num_subjects; /* Number of subjects */
58294 + __u32 num_objects; /* Number of objects */
58297 +struct acl_object_label {
58303 + struct acl_subject_label *nested;
58304 + struct acl_object_label *globbed;
58306 + /* next two structures not used */
58308 + struct acl_object_label *prev;
58309 + struct acl_object_label *next;
58312 +struct acl_ip_label {
58321 + /* next two structures not used */
58323 + struct acl_ip_label *prev;
58324 + struct acl_ip_label *next;
58328 + struct user_acl_role_db role_db;
58329 + unsigned char pw[GR_PW_LEN];
58330 + unsigned char salt[GR_SALT_LEN];
58331 + unsigned char sum[GR_SHA_LEN];
58332 + unsigned char sp_role[GR_SPROLE_LEN];
58333 + struct sprole_pw *sprole_pws;
58334 + dev_t segv_device;
58335 + ino_t segv_inode;
58337 + __u16 num_sprole_pws;
58341 +struct gr_arg_wrapper {
58342 + struct gr_arg *arg;
58347 +struct subject_map {
58348 + struct acl_subject_label *user;
58349 + struct acl_subject_label *kernel;
58350 + struct subject_map *prev;
58351 + struct subject_map *next;
58354 +struct acl_subj_map_db {
58355 + struct subject_map **s_hash;
58359 +/* End Data Structures Section */
58361 +/* Hash functions generated by empirical testing by Brad Spengler
58362 + Makes good use of the low bits of the inode. Generally 0-1 times
58363 + in loop for successful match. 0-3 for unsuccessful match.
58364 + Shift/add algorithm with modulus of table size and an XOR*/
58366 +static __inline__ unsigned int
58367 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
58369 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
58372 + static __inline__ unsigned int
58373 +shash(const struct acl_subject_label *userp, const unsigned int sz)
58375 + return ((const unsigned long)userp % sz);
58378 +static __inline__ unsigned int
58379 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
58381 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
58384 +static __inline__ unsigned int
58385 +nhash(const char *name, const __u16 len, const unsigned int sz)
58387 + return full_name_hash((const unsigned char *)name, len) % sz;
58390 +#define FOR_EACH_ROLE_START(role) \
58391 + role = role_list; \
58394 +#define FOR_EACH_ROLE_END(role) \
58395 + role = role->prev; \
58398 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
58401 + while (iter < role->subj_hash_size) { \
58402 + if (subj == NULL) \
58403 + subj = role->subj_hash[iter]; \
58404 + if (subj == NULL) { \
58409 +#define FOR_EACH_SUBJECT_END(subj,iter) \
58410 + subj = subj->next; \
58411 + if (subj == NULL) \
58416 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
58417 + subj = role->hash->first; \
58418 + while (subj != NULL) {
58420 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
58421 + subj = subj->next; \
58426 diff -urNp linux-2.6.32.43/include/linux/gralloc.h linux-2.6.32.43/include/linux/gralloc.h
58427 --- linux-2.6.32.43/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
58428 +++ linux-2.6.32.43/include/linux/gralloc.h 2011-04-17 15:56:46.000000000 -0400
58430 +#ifndef __GRALLOC_H
58431 +#define __GRALLOC_H
58433 +void acl_free_all(void);
58434 +int acl_alloc_stack_init(unsigned long size);
58435 +void *acl_alloc(unsigned long len);
58436 +void *acl_alloc_num(unsigned long num, unsigned long len);
58439 diff -urNp linux-2.6.32.43/include/linux/grdefs.h linux-2.6.32.43/include/linux/grdefs.h
58440 --- linux-2.6.32.43/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
58441 +++ linux-2.6.32.43/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400
58446 +/* Begin grsecurity status declarations */
58450 + GR_STATUS_INIT = 0x00 // disabled state
58453 +/* Begin ACL declarations */
58458 + GR_ROLE_USER = 0x0001,
58459 + GR_ROLE_GROUP = 0x0002,
58460 + GR_ROLE_DEFAULT = 0x0004,
58461 + GR_ROLE_SPECIAL = 0x0008,
58462 + GR_ROLE_AUTH = 0x0010,
58463 + GR_ROLE_NOPW = 0x0020,
58464 + GR_ROLE_GOD = 0x0040,
58465 + GR_ROLE_LEARN = 0x0080,
58466 + GR_ROLE_TPE = 0x0100,
58467 + GR_ROLE_DOMAIN = 0x0200,
58468 + GR_ROLE_PAM = 0x0400,
58469 + GR_ROLE_PERSIST = 0x800
58472 +/* ACL Subject and Object mode flags */
58474 + GR_DELETED = 0x80000000
58477 +/* ACL Object-only mode flags */
58479 + GR_READ = 0x00000001,
58480 + GR_APPEND = 0x00000002,
58481 + GR_WRITE = 0x00000004,
58482 + GR_EXEC = 0x00000008,
58483 + GR_FIND = 0x00000010,
58484 + GR_INHERIT = 0x00000020,
58485 + GR_SETID = 0x00000040,
58486 + GR_CREATE = 0x00000080,
58487 + GR_DELETE = 0x00000100,
58488 + GR_LINK = 0x00000200,
58489 + GR_AUDIT_READ = 0x00000400,
58490 + GR_AUDIT_APPEND = 0x00000800,
58491 + GR_AUDIT_WRITE = 0x00001000,
58492 + GR_AUDIT_EXEC = 0x00002000,
58493 + GR_AUDIT_FIND = 0x00004000,
58494 + GR_AUDIT_INHERIT= 0x00008000,
58495 + GR_AUDIT_SETID = 0x00010000,
58496 + GR_AUDIT_CREATE = 0x00020000,
58497 + GR_AUDIT_DELETE = 0x00040000,
58498 + GR_AUDIT_LINK = 0x00080000,
58499 + GR_PTRACERD = 0x00100000,
58500 + GR_NOPTRACE = 0x00200000,
58501 + GR_SUPPRESS = 0x00400000,
58502 + GR_NOLEARN = 0x00800000,
58503 + GR_INIT_TRANSFER= 0x01000000
58506 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
58507 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
58508 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
58510 +/* ACL subject-only mode flags */
58512 + GR_KILL = 0x00000001,
58513 + GR_VIEW = 0x00000002,
58514 + GR_PROTECTED = 0x00000004,
58515 + GR_LEARN = 0x00000008,
58516 + GR_OVERRIDE = 0x00000010,
58517 + /* just a placeholder, this mode is only used in userspace */
58518 + GR_DUMMY = 0x00000020,
58519 + GR_PROTSHM = 0x00000040,
58520 + GR_KILLPROC = 0x00000080,
58521 + GR_KILLIPPROC = 0x00000100,
58522 + /* just a placeholder, this mode is only used in userspace */
58523 + GR_NOTROJAN = 0x00000200,
58524 + GR_PROTPROCFD = 0x00000400,
58525 + GR_PROCACCT = 0x00000800,
58526 + GR_RELAXPTRACE = 0x00001000,
58527 + GR_NESTED = 0x00002000,
58528 + GR_INHERITLEARN = 0x00004000,
58529 + GR_PROCFIND = 0x00008000,
58530 + GR_POVERRIDE = 0x00010000,
58531 + GR_KERNELAUTH = 0x00020000,
58532 + GR_ATSECURE = 0x00040000,
58533 + GR_SHMEXEC = 0x00080000
58537 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
58538 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
58539 + GR_PAX_ENABLE_MPROTECT = 0x0004,
58540 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
58541 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
58542 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
58543 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
58544 + GR_PAX_DISABLE_MPROTECT = 0x0400,
58545 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
58546 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
58550 + GR_ID_USER = 0x01,
58551 + GR_ID_GROUP = 0x02,
58555 + GR_ID_ALLOW = 0x01,
58556 + GR_ID_DENY = 0x02,
58559 +#define GR_CRASH_RES 31
58560 +#define GR_UIDTABLE_MAX 500
58562 +/* begin resource learning section */
58564 + GR_RLIM_CPU_BUMP = 60,
58565 + GR_RLIM_FSIZE_BUMP = 50000,
58566 + GR_RLIM_DATA_BUMP = 10000,
58567 + GR_RLIM_STACK_BUMP = 1000,
58568 + GR_RLIM_CORE_BUMP = 10000,
58569 + GR_RLIM_RSS_BUMP = 500000,
58570 + GR_RLIM_NPROC_BUMP = 1,
58571 + GR_RLIM_NOFILE_BUMP = 5,
58572 + GR_RLIM_MEMLOCK_BUMP = 50000,
58573 + GR_RLIM_AS_BUMP = 500000,
58574 + GR_RLIM_LOCKS_BUMP = 2,
58575 + GR_RLIM_SIGPENDING_BUMP = 5,
58576 + GR_RLIM_MSGQUEUE_BUMP = 10000,
58577 + GR_RLIM_NICE_BUMP = 1,
58578 + GR_RLIM_RTPRIO_BUMP = 1,
58579 + GR_RLIM_RTTIME_BUMP = 1000000
58583 diff -urNp linux-2.6.32.43/include/linux/grinternal.h linux-2.6.32.43/include/linux/grinternal.h
58584 --- linux-2.6.32.43/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
58585 +++ linux-2.6.32.43/include/linux/grinternal.h 2011-07-14 20:35:29.000000000 -0400
58587 +#ifndef __GRINTERNAL_H
58588 +#define __GRINTERNAL_H
58590 +#ifdef CONFIG_GRKERNSEC
58592 +#include <linux/fs.h>
58593 +#include <linux/mnt_namespace.h>
58594 +#include <linux/nsproxy.h>
58595 +#include <linux/gracl.h>
58596 +#include <linux/grdefs.h>
58597 +#include <linux/grmsg.h>
58599 +void gr_add_learn_entry(const char *fmt, ...)
58600 + __attribute__ ((format (printf, 1, 2)));
58601 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
58602 + const struct vfsmount *mnt);
58603 +__u32 gr_check_create(const struct dentry *new_dentry,
58604 + const struct dentry *parent,
58605 + const struct vfsmount *mnt, const __u32 mode);
58606 +int gr_check_protected_task(const struct task_struct *task);
58607 +__u32 to_gr_audit(const __u32 reqmode);
58608 +int gr_set_acls(const int type);
58609 +int gr_apply_subject_to_task(struct task_struct *task);
58610 +int gr_acl_is_enabled(void);
58611 +char gr_roletype_to_char(void);
58613 +void gr_handle_alertkill(struct task_struct *task);
58614 +char *gr_to_filename(const struct dentry *dentry,
58615 + const struct vfsmount *mnt);
58616 +char *gr_to_filename1(const struct dentry *dentry,
58617 + const struct vfsmount *mnt);
58618 +char *gr_to_filename2(const struct dentry *dentry,
58619 + const struct vfsmount *mnt);
58620 +char *gr_to_filename3(const struct dentry *dentry,
58621 + const struct vfsmount *mnt);
58623 +extern int grsec_enable_harden_ptrace;
58624 +extern int grsec_enable_link;
58625 +extern int grsec_enable_fifo;
58626 +extern int grsec_enable_execve;
58627 +extern int grsec_enable_shm;
58628 +extern int grsec_enable_execlog;
58629 +extern int grsec_enable_signal;
58630 +extern int grsec_enable_audit_ptrace;
58631 +extern int grsec_enable_forkfail;
58632 +extern int grsec_enable_time;
58633 +extern int grsec_enable_rofs;
58634 +extern int grsec_enable_chroot_shmat;
58635 +extern int grsec_enable_chroot_mount;
58636 +extern int grsec_enable_chroot_double;
58637 +extern int grsec_enable_chroot_pivot;
58638 +extern int grsec_enable_chroot_chdir;
58639 +extern int grsec_enable_chroot_chmod;
58640 +extern int grsec_enable_chroot_mknod;
58641 +extern int grsec_enable_chroot_fchdir;
58642 +extern int grsec_enable_chroot_nice;
58643 +extern int grsec_enable_chroot_execlog;
58644 +extern int grsec_enable_chroot_caps;
58645 +extern int grsec_enable_chroot_sysctl;
58646 +extern int grsec_enable_chroot_unix;
58647 +extern int grsec_enable_tpe;
58648 +extern int grsec_tpe_gid;
58649 +extern int grsec_enable_tpe_all;
58650 +extern int grsec_enable_tpe_invert;
58651 +extern int grsec_enable_socket_all;
58652 +extern int grsec_socket_all_gid;
58653 +extern int grsec_enable_socket_client;
58654 +extern int grsec_socket_client_gid;
58655 +extern int grsec_enable_socket_server;
58656 +extern int grsec_socket_server_gid;
58657 +extern int grsec_audit_gid;
58658 +extern int grsec_enable_group;
58659 +extern int grsec_enable_audit_textrel;
58660 +extern int grsec_enable_log_rwxmaps;
58661 +extern int grsec_enable_mount;
58662 +extern int grsec_enable_chdir;
58663 +extern int grsec_resource_logging;
58664 +extern int grsec_enable_blackhole;
58665 +extern int grsec_lastack_retries;
58666 +extern int grsec_enable_brute;
58667 +extern int grsec_lock;
58669 +extern spinlock_t grsec_alert_lock;
58670 +extern unsigned long grsec_alert_wtime;
58671 +extern unsigned long grsec_alert_fyet;
58673 +extern spinlock_t grsec_audit_lock;
58675 +extern rwlock_t grsec_exec_file_lock;
58677 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
58678 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
58679 + (tsk)->exec_file->f_vfsmnt) : "/")
58681 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
58682 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
58683 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58685 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
58686 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
58687 + (tsk)->exec_file->f_vfsmnt) : "/")
58689 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
58690 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
58691 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
58693 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
58695 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
58697 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
58698 + (task)->pid, (cred)->uid, \
58699 + (cred)->euid, (cred)->gid, (cred)->egid, \
58700 + gr_parent_task_fullpath(task), \
58701 + (task)->real_parent->comm, (task)->real_parent->pid, \
58702 + (pcred)->uid, (pcred)->euid, \
58703 + (pcred)->gid, (pcred)->egid
58705 +#define GR_CHROOT_CAPS {{ \
58706 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
58707 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
58708 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
58709 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
58710 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
58711 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
58713 +#define security_learn(normal_msg,args...) \
58715 + read_lock(&grsec_exec_file_lock); \
58716 + gr_add_learn_entry(normal_msg "\n", ## args); \
58717 + read_unlock(&grsec_exec_file_lock); \
58723 + GR_DONT_AUDIT_GOOD
58734 + GR_SYSCTL_HIDDEN,
58737 + GR_ONE_INT_TWO_STR,
58744 + GR_FIVE_INT_TWO_STR,
58750 + GR_FILENAME_TWO_INT,
58751 + GR_FILENAME_TWO_INT_STR,
58764 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
58765 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
58766 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
58767 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
58768 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
58769 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
58770 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
58771 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
58772 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
58773 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
58774 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
58775 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
58776 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
58777 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
58778 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
58779 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
58780 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
58781 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
58782 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
58783 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
58784 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
58785 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
58786 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
58787 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
58788 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
58789 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
58790 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
58791 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
58792 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
58793 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
58794 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
58795 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
58796 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
58797 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
58798 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
58800 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
58805 diff -urNp linux-2.6.32.43/include/linux/grmsg.h linux-2.6.32.43/include/linux/grmsg.h
58806 --- linux-2.6.32.43/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
58807 +++ linux-2.6.32.43/include/linux/grmsg.h 2011-04-17 15:56:46.000000000 -0400
58809 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
58810 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
58811 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
58812 +#define GR_STOPMOD_MSG "denied modification of module state by "
58813 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
58814 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
58815 +#define GR_IOPERM_MSG "denied use of ioperm() by "
58816 +#define GR_IOPL_MSG "denied use of iopl() by "
58817 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
58818 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
58819 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
58820 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
58821 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
58822 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
58823 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
58824 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
58825 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
58826 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
58827 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
58828 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
58829 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
58830 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
58831 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
58832 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
58833 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
58834 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
58835 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
58836 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
58837 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
58838 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
58839 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
58840 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
58841 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
58842 +#define GR_NPROC_MSG "denied overstep of process limit by "
58843 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
58844 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
58845 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
58846 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
58847 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
58848 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
58849 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
58850 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
58851 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
58852 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
58853 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
58854 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
58855 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
58856 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
58857 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
58858 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
58859 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
58860 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
58861 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
58862 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
58863 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
58864 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
58865 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
58866 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
58867 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
58868 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
58869 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
58870 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
58871 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
58872 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
58873 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
58874 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
58875 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
58876 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
58877 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
58878 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
58879 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
58880 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
58881 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
58882 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
58883 +#define GR_NICE_CHROOT_MSG "denied priority change by "
58884 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
58885 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
58886 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
58887 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
58888 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
58889 +#define GR_TIME_MSG "time set by "
58890 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
58891 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
58892 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
58893 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
58894 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
58895 +#define GR_BIND_MSG "denied bind() by "
58896 +#define GR_CONNECT_MSG "denied connect() by "
58897 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
58898 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
58899 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
58900 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
58901 +#define GR_CAP_ACL_MSG "use of %s denied for "
58902 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
58903 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
58904 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
58905 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
58906 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
58907 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
58908 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
58909 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
58910 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
58911 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
58912 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
58913 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
58914 +#define GR_VM86_MSG "denied use of vm86 by "
58915 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
58916 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
58917 diff -urNp linux-2.6.32.43/include/linux/grsecurity.h linux-2.6.32.43/include/linux/grsecurity.h
58918 --- linux-2.6.32.43/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
58919 +++ linux-2.6.32.43/include/linux/grsecurity.h 2011-08-05 19:53:46.000000000 -0400
58921 +#ifndef GR_SECURITY_H
58922 +#define GR_SECURITY_H
58923 +#include <linux/fs.h>
58924 +#include <linux/fs_struct.h>
58925 +#include <linux/binfmts.h>
58926 +#include <linux/gracl.h>
58927 +#include <linux/compat.h>
58929 +/* notify of brain-dead configs */
58930 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58931 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
58933 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
58934 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
58936 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58937 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58939 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
58940 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
58942 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
58943 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
58945 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
58946 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
58949 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
58950 +void gr_handle_brute_check(void);
58951 +void gr_handle_kernel_exploit(void);
58952 +int gr_process_user_ban(void);
58954 +char gr_roletype_to_char(void);
58956 +int gr_acl_enable_at_secure(void);
58958 +int gr_check_user_change(int real, int effective, int fs);
58959 +int gr_check_group_change(int real, int effective, int fs);
58961 +void gr_del_task_from_ip_table(struct task_struct *p);
58963 +int gr_pid_is_chrooted(struct task_struct *p);
58964 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
58965 +int gr_handle_chroot_nice(void);
58966 +int gr_handle_chroot_sysctl(const int op);
58967 +int gr_handle_chroot_setpriority(struct task_struct *p,
58968 + const int niceval);
58969 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
58970 +int gr_handle_chroot_chroot(const struct dentry *dentry,
58971 + const struct vfsmount *mnt);
58972 +int gr_handle_chroot_caps(struct path *path);
58973 +void gr_handle_chroot_chdir(struct path *path);
58974 +int gr_handle_chroot_chmod(const struct dentry *dentry,
58975 + const struct vfsmount *mnt, const int mode);
58976 +int gr_handle_chroot_mknod(const struct dentry *dentry,
58977 + const struct vfsmount *mnt, const int mode);
58978 +int gr_handle_chroot_mount(const struct dentry *dentry,
58979 + const struct vfsmount *mnt,
58980 + const char *dev_name);
58981 +int gr_handle_chroot_pivot(void);
58982 +int gr_handle_chroot_unix(const pid_t pid);
58984 +int gr_handle_rawio(const struct inode *inode);
58985 +int gr_handle_nproc(void);
58987 +void gr_handle_ioperm(void);
58988 +void gr_handle_iopl(void);
58990 +int gr_tpe_allow(const struct file *file);
58992 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
58993 +void gr_clear_chroot_entries(struct task_struct *task);
58995 +void gr_log_forkfail(const int retval);
58996 +void gr_log_timechange(void);
58997 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
58998 +void gr_log_chdir(const struct dentry *dentry,
58999 + const struct vfsmount *mnt);
59000 +void gr_log_chroot_exec(const struct dentry *dentry,
59001 + const struct vfsmount *mnt);
59002 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
59003 +#ifdef CONFIG_COMPAT
59004 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
59006 +void gr_log_remount(const char *devname, const int retval);
59007 +void gr_log_unmount(const char *devname, const int retval);
59008 +void gr_log_mount(const char *from, const char *to, const int retval);
59009 +void gr_log_textrel(struct vm_area_struct *vma);
59010 +void gr_log_rwxmmap(struct file *file);
59011 +void gr_log_rwxmprotect(struct file *file);
59013 +int gr_handle_follow_link(const struct inode *parent,
59014 + const struct inode *inode,
59015 + const struct dentry *dentry,
59016 + const struct vfsmount *mnt);
59017 +int gr_handle_fifo(const struct dentry *dentry,
59018 + const struct vfsmount *mnt,
59019 + const struct dentry *dir, const int flag,
59020 + const int acc_mode);
59021 +int gr_handle_hardlink(const struct dentry *dentry,
59022 + const struct vfsmount *mnt,
59023 + struct inode *inode,
59024 + const int mode, const char *to);
59026 +int gr_is_capable(const int cap);
59027 +int gr_is_capable_nolog(const int cap);
59028 +void gr_learn_resource(const struct task_struct *task, const int limit,
59029 + const unsigned long wanted, const int gt);
59030 +void gr_copy_label(struct task_struct *tsk);
59031 +void gr_handle_crash(struct task_struct *task, const int sig);
59032 +int gr_handle_signal(const struct task_struct *p, const int sig);
59033 +int gr_check_crash_uid(const uid_t uid);
59034 +int gr_check_protected_task(const struct task_struct *task);
59035 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
59036 +int gr_acl_handle_mmap(const struct file *file,
59037 + const unsigned long prot);
59038 +int gr_acl_handle_mprotect(const struct file *file,
59039 + const unsigned long prot);
59040 +int gr_check_hidden_task(const struct task_struct *tsk);
59041 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
59042 + const struct vfsmount *mnt);
59043 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
59044 + const struct vfsmount *mnt);
59045 +__u32 gr_acl_handle_access(const struct dentry *dentry,
59046 + const struct vfsmount *mnt, const int fmode);
59047 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
59048 + const struct vfsmount *mnt, mode_t mode);
59049 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
59050 + const struct vfsmount *mnt, mode_t mode);
59051 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
59052 + const struct vfsmount *mnt);
59053 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
59054 + const struct vfsmount *mnt);
59055 +int gr_handle_ptrace(struct task_struct *task, const long request);
59056 +int gr_handle_proc_ptrace(struct task_struct *task);
59057 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
59058 + const struct vfsmount *mnt);
59059 +int gr_check_crash_exec(const struct file *filp);
59060 +int gr_acl_is_enabled(void);
59061 +void gr_set_kernel_label(struct task_struct *task);
59062 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
59063 + const gid_t gid);
59064 +int gr_set_proc_label(const struct dentry *dentry,
59065 + const struct vfsmount *mnt,
59066 + const int unsafe_share);
59067 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
59068 + const struct vfsmount *mnt);
59069 +__u32 gr_acl_handle_open(const struct dentry *dentry,
59070 + const struct vfsmount *mnt, const int fmode);
59071 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
59072 + const struct dentry *p_dentry,
59073 + const struct vfsmount *p_mnt, const int fmode,
59074 + const int imode);
59075 +void gr_handle_create(const struct dentry *dentry,
59076 + const struct vfsmount *mnt);
59077 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
59078 + const struct dentry *parent_dentry,
59079 + const struct vfsmount *parent_mnt,
59081 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
59082 + const struct dentry *parent_dentry,
59083 + const struct vfsmount *parent_mnt);
59084 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
59085 + const struct vfsmount *mnt);
59086 +void gr_handle_delete(const ino_t ino, const dev_t dev);
59087 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
59088 + const struct vfsmount *mnt);
59089 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
59090 + const struct dentry *parent_dentry,
59091 + const struct vfsmount *parent_mnt,
59092 + const char *from);
59093 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
59094 + const struct dentry *parent_dentry,
59095 + const struct vfsmount *parent_mnt,
59096 + const struct dentry *old_dentry,
59097 + const struct vfsmount *old_mnt, const char *to);
59098 +int gr_acl_handle_rename(struct dentry *new_dentry,
59099 + struct dentry *parent_dentry,
59100 + const struct vfsmount *parent_mnt,
59101 + struct dentry *old_dentry,
59102 + struct inode *old_parent_inode,
59103 + struct vfsmount *old_mnt, const char *newname);
59104 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
59105 + struct dentry *old_dentry,
59106 + struct dentry *new_dentry,
59107 + struct vfsmount *mnt, const __u8 replace);
59108 +__u32 gr_check_link(const struct dentry *new_dentry,
59109 + const struct dentry *parent_dentry,
59110 + const struct vfsmount *parent_mnt,
59111 + const struct dentry *old_dentry,
59112 + const struct vfsmount *old_mnt);
59113 +int gr_acl_handle_filldir(const struct file *file, const char *name,
59114 + const unsigned int namelen, const ino_t ino);
59116 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
59117 + const struct vfsmount *mnt);
59118 +void gr_acl_handle_exit(void);
59119 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
59120 +int gr_acl_handle_procpidmem(const struct task_struct *task);
59121 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
59122 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
59123 +void gr_audit_ptrace(struct task_struct *task);
59124 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
59126 +#ifdef CONFIG_GRKERNSEC
59127 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
59128 +void gr_handle_vm86(void);
59129 +void gr_handle_mem_readwrite(u64 from, u64 to);
59131 +extern int grsec_enable_dmesg;
59132 +extern int grsec_disable_privio;
59133 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59134 +extern int grsec_enable_chroot_findtask;
59139 diff -urNp linux-2.6.32.43/include/linux/hdpu_features.h linux-2.6.32.43/include/linux/hdpu_features.h
59140 --- linux-2.6.32.43/include/linux/hdpu_features.h 2011-03-27 14:31:47.000000000 -0400
59141 +++ linux-2.6.32.43/include/linux/hdpu_features.h 2011-04-17 15:56:46.000000000 -0400
59143 struct cpustate_t {
59147 + atomic_t open_count;
59148 unsigned char cached_val;
59150 unsigned long *set_addr;
59151 diff -urNp linux-2.6.32.43/include/linux/highmem.h linux-2.6.32.43/include/linux/highmem.h
59152 --- linux-2.6.32.43/include/linux/highmem.h 2011-03-27 14:31:47.000000000 -0400
59153 +++ linux-2.6.32.43/include/linux/highmem.h 2011-04-17 15:56:46.000000000 -0400
59154 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
59155 kunmap_atomic(kaddr, KM_USER0);
59158 +static inline void sanitize_highpage(struct page *page)
59161 + unsigned long flags;
59163 + local_irq_save(flags);
59164 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
59165 + clear_page(kaddr);
59166 + kunmap_atomic(kaddr, KM_CLEARPAGE);
59167 + local_irq_restore(flags);
59170 static inline void zero_user_segments(struct page *page,
59171 unsigned start1, unsigned end1,
59172 unsigned start2, unsigned end2)
59173 diff -urNp linux-2.6.32.43/include/linux/i2o.h linux-2.6.32.43/include/linux/i2o.h
59174 --- linux-2.6.32.43/include/linux/i2o.h 2011-03-27 14:31:47.000000000 -0400
59175 +++ linux-2.6.32.43/include/linux/i2o.h 2011-05-04 17:56:28.000000000 -0400
59176 @@ -564,7 +564,7 @@ struct i2o_controller {
59177 struct i2o_device *exec; /* Executive */
59178 #if BITS_PER_LONG == 64
59179 spinlock_t context_list_lock; /* lock for context_list */
59180 - atomic_t context_list_counter; /* needed for unique contexts */
59181 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
59182 struct list_head context_list; /* list of context id's
59185 diff -urNp linux-2.6.32.43/include/linux/init_task.h linux-2.6.32.43/include/linux/init_task.h
59186 --- linux-2.6.32.43/include/linux/init_task.h 2011-03-27 14:31:47.000000000 -0400
59187 +++ linux-2.6.32.43/include/linux/init_task.h 2011-05-18 20:44:59.000000000 -0400
59188 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
59193 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
59195 +#define INIT_TASK_THREAD_INFO
59198 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
59200 * Because of the reduced scope of CAP_SETPCAP when filesystem
59201 @@ -156,6 +162,7 @@ extern struct cred init_cred;
59202 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
59203 .comm = "swapper", \
59204 .thread = INIT_THREAD, \
59205 + INIT_TASK_THREAD_INFO \
59207 .files = &init_files, \
59208 .signal = &init_signals, \
59209 diff -urNp linux-2.6.32.43/include/linux/intel-iommu.h linux-2.6.32.43/include/linux/intel-iommu.h
59210 --- linux-2.6.32.43/include/linux/intel-iommu.h 2011-03-27 14:31:47.000000000 -0400
59211 +++ linux-2.6.32.43/include/linux/intel-iommu.h 2011-08-05 20:33:55.000000000 -0400
59212 @@ -296,7 +296,7 @@ struct iommu_flush {
59214 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
59215 unsigned int size_order, u64 type);
59221 diff -urNp linux-2.6.32.43/include/linux/interrupt.h linux-2.6.32.43/include/linux/interrupt.h
59222 --- linux-2.6.32.43/include/linux/interrupt.h 2011-06-25 12:55:35.000000000 -0400
59223 +++ linux-2.6.32.43/include/linux/interrupt.h 2011-06-25 12:56:37.000000000 -0400
59224 @@ -363,7 +363,7 @@ enum
59225 /* map softirq index to softirq name. update 'softirq_to_name' in
59226 * kernel/softirq.c when adding a new softirq.
59228 -extern char *softirq_to_name[NR_SOFTIRQS];
59229 +extern const char * const softirq_to_name[NR_SOFTIRQS];
59231 /* softirq mask and active fields moved to irq_cpustat_t in
59232 * asm/hardirq.h to get better cache usage. KAO
59233 @@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
59235 struct softirq_action
59237 - void (*action)(struct softirq_action *);
59238 + void (*action)(void);
59241 asmlinkage void do_softirq(void);
59242 asmlinkage void __do_softirq(void);
59243 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
59244 +extern void open_softirq(int nr, void (*action)(void));
59245 extern void softirq_init(void);
59246 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
59247 extern void raise_softirq_irqoff(unsigned int nr);
59248 diff -urNp linux-2.6.32.43/include/linux/irq.h linux-2.6.32.43/include/linux/irq.h
59249 --- linux-2.6.32.43/include/linux/irq.h 2011-03-27 14:31:47.000000000 -0400
59250 +++ linux-2.6.32.43/include/linux/irq.h 2011-04-17 15:56:46.000000000 -0400
59251 @@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
59252 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
59255 +#ifdef CONFIG_CPUMASK_OFFSTACK
59256 gfp_t gfp = GFP_ATOMIC;
59261 -#ifdef CONFIG_CPUMASK_OFFSTACK
59262 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
59265 diff -urNp linux-2.6.32.43/include/linux/kallsyms.h linux-2.6.32.43/include/linux/kallsyms.h
59266 --- linux-2.6.32.43/include/linux/kallsyms.h 2011-03-27 14:31:47.000000000 -0400
59267 +++ linux-2.6.32.43/include/linux/kallsyms.h 2011-04-17 15:56:46.000000000 -0400
59272 -#ifdef CONFIG_KALLSYMS
59273 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
59274 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59275 /* Lookup the address for a symbol. Returns 0 if not found. */
59276 unsigned long kallsyms_lookup_name(const char *name);
59278 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
59279 /* Stupid that this does nothing, but I didn't create this mess. */
59280 #define __print_symbol(fmt, addr)
59281 #endif /*CONFIG_KALLSYMS*/
59282 +#else /* when included by kallsyms.c, vsnprintf.c, or
59283 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
59284 +extern void __print_symbol(const char *fmt, unsigned long address);
59285 +extern int sprint_symbol(char *buffer, unsigned long address);
59286 +const char *kallsyms_lookup(unsigned long addr,
59287 + unsigned long *symbolsize,
59288 + unsigned long *offset,
59289 + char **modname, char *namebuf);
59292 /* This macro allows us to keep printk typechecking */
59293 static void __check_printsym_format(const char *fmt, ...)
59294 diff -urNp linux-2.6.32.43/include/linux/kgdb.h linux-2.6.32.43/include/linux/kgdb.h
59295 --- linux-2.6.32.43/include/linux/kgdb.h 2011-03-27 14:31:47.000000000 -0400
59296 +++ linux-2.6.32.43/include/linux/kgdb.h 2011-08-05 20:33:55.000000000 -0400
59297 @@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
59299 extern int kgdb_connected;
59301 -extern atomic_t kgdb_setting_breakpoint;
59302 -extern atomic_t kgdb_cpu_doing_single_step;
59303 +extern atomic_unchecked_t kgdb_setting_breakpoint;
59304 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
59306 extern struct task_struct *kgdb_usethread;
59307 extern struct task_struct *kgdb_contthread;
59308 @@ -226,8 +226,8 @@ extern int kgdb_arch_remove_breakpoint(u
59309 * hardware debug registers.
59312 - unsigned char gdb_bpt_instr[BREAK_INSTR_SIZE];
59313 - unsigned long flags;
59314 + const unsigned char gdb_bpt_instr[BREAK_INSTR_SIZE];
59315 + const unsigned long flags;
59317 int (*set_breakpoint)(unsigned long, char *);
59318 int (*remove_breakpoint)(unsigned long, char *);
59319 @@ -251,20 +251,20 @@ struct kgdb_arch {
59323 - int (*read_char) (void);
59324 - void (*write_char) (u8);
59325 - void (*flush) (void);
59326 - int (*init) (void);
59327 - void (*pre_exception) (void);
59328 - void (*post_exception) (void);
59329 + int (* const read_char) (void);
59330 + void (* const write_char) (u8);
59331 + void (* const flush) (void);
59332 + int (* const init) (void);
59333 + void (* const pre_exception) (void);
59334 + void (* const post_exception) (void);
59337 -extern struct kgdb_arch arch_kgdb_ops;
59338 +extern const struct kgdb_arch arch_kgdb_ops;
59340 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
59342 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
59343 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
59344 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
59345 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
59347 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
59348 extern int kgdb_mem2hex(char *mem, char *buf, int count);
59349 diff -urNp linux-2.6.32.43/include/linux/kmod.h linux-2.6.32.43/include/linux/kmod.h
59350 --- linux-2.6.32.43/include/linux/kmod.h 2011-03-27 14:31:47.000000000 -0400
59351 +++ linux-2.6.32.43/include/linux/kmod.h 2011-04-17 15:56:46.000000000 -0400
59353 * usually useless though. */
59354 extern int __request_module(bool wait, const char *name, ...) \
59355 __attribute__((format(printf, 2, 3)));
59356 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
59357 + __attribute__((format(printf, 3, 4)));
59358 #define request_module(mod...) __request_module(true, mod)
59359 #define request_module_nowait(mod...) __request_module(false, mod)
59360 #define try_then_request_module(x, mod...) \
59361 diff -urNp linux-2.6.32.43/include/linux/kobject.h linux-2.6.32.43/include/linux/kobject.h
59362 --- linux-2.6.32.43/include/linux/kobject.h 2011-03-27 14:31:47.000000000 -0400
59363 +++ linux-2.6.32.43/include/linux/kobject.h 2011-04-17 15:56:46.000000000 -0400
59364 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
59367 void (*release)(struct kobject *kobj);
59368 - struct sysfs_ops *sysfs_ops;
59369 + const struct sysfs_ops *sysfs_ops;
59370 struct attribute **default_attrs;
59373 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
59376 struct kset_uevent_ops {
59377 - int (*filter)(struct kset *kset, struct kobject *kobj);
59378 - const char *(*name)(struct kset *kset, struct kobject *kobj);
59379 - int (*uevent)(struct kset *kset, struct kobject *kobj,
59380 + int (* const filter)(struct kset *kset, struct kobject *kobj);
59381 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
59382 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
59383 struct kobj_uevent_env *env);
59386 @@ -132,7 +132,7 @@ struct kobj_attribute {
59387 const char *buf, size_t count);
59390 -extern struct sysfs_ops kobj_sysfs_ops;
59391 +extern const struct sysfs_ops kobj_sysfs_ops;
59394 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
59395 @@ -155,14 +155,14 @@ struct kset {
59396 struct list_head list;
59397 spinlock_t list_lock;
59398 struct kobject kobj;
59399 - struct kset_uevent_ops *uevent_ops;
59400 + const struct kset_uevent_ops *uevent_ops;
59403 extern void kset_init(struct kset *kset);
59404 extern int __must_check kset_register(struct kset *kset);
59405 extern void kset_unregister(struct kset *kset);
59406 extern struct kset * __must_check kset_create_and_add(const char *name,
59407 - struct kset_uevent_ops *u,
59408 + const struct kset_uevent_ops *u,
59409 struct kobject *parent_kobj);
59411 static inline struct kset *to_kset(struct kobject *kobj)
59412 diff -urNp linux-2.6.32.43/include/linux/kvm_host.h linux-2.6.32.43/include/linux/kvm_host.h
59413 --- linux-2.6.32.43/include/linux/kvm_host.h 2011-03-27 14:31:47.000000000 -0400
59414 +++ linux-2.6.32.43/include/linux/kvm_host.h 2011-04-17 15:56:46.000000000 -0400
59415 @@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
59416 void vcpu_load(struct kvm_vcpu *vcpu);
59417 void vcpu_put(struct kvm_vcpu *vcpu);
59419 -int kvm_init(void *opaque, unsigned int vcpu_size,
59420 +int kvm_init(const void *opaque, unsigned int vcpu_size,
59421 struct module *module);
59422 void kvm_exit(void);
59424 @@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
59425 struct kvm_guest_debug *dbg);
59426 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
59428 -int kvm_arch_init(void *opaque);
59429 +int kvm_arch_init(const void *opaque);
59430 void kvm_arch_exit(void);
59432 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
59433 diff -urNp linux-2.6.32.43/include/linux/libata.h linux-2.6.32.43/include/linux/libata.h
59434 --- linux-2.6.32.43/include/linux/libata.h 2011-03-27 14:31:47.000000000 -0400
59435 +++ linux-2.6.32.43/include/linux/libata.h 2011-08-05 20:33:55.000000000 -0400
59436 @@ -525,11 +525,11 @@ struct ata_ioports {
59440 - struct device *dev;
59441 + struct device *dev;
59442 void __iomem * const *iomap;
59443 unsigned int n_ports;
59444 void *private_data;
59445 - struct ata_port_operations *ops;
59446 + const struct ata_port_operations *ops;
59447 unsigned long flags;
59448 #ifdef CONFIG_ATA_ACPI
59449 acpi_handle acpi_handle;
59450 @@ -710,7 +710,7 @@ struct ata_link {
59453 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
59454 - struct ata_port_operations *ops;
59455 + const struct ata_port_operations *ops;
59457 /* Flags owned by the EH context. Only EH should touch these once the
59459 @@ -883,7 +883,7 @@ struct ata_port_operations {
59460 * ->inherits must be the last field and all the preceding
59461 * fields must be pointers.
59463 - const struct ata_port_operations *inherits;
59464 + const struct ata_port_operations * const inherits;
59467 struct ata_port_info {
59468 @@ -892,7 +892,7 @@ struct ata_port_info {
59469 unsigned long pio_mask;
59470 unsigned long mwdma_mask;
59471 unsigned long udma_mask;
59472 - struct ata_port_operations *port_ops;
59473 + const struct ata_port_operations *port_ops;
59474 void *private_data;
59477 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
59478 extern const unsigned long sata_deb_timing_hotplug[];
59479 extern const unsigned long sata_deb_timing_long[];
59481 -extern struct ata_port_operations ata_dummy_port_ops;
59482 +extern const struct ata_port_operations ata_dummy_port_ops;
59483 extern const struct ata_port_info ata_dummy_port_info;
59485 static inline const unsigned long *
59486 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
59487 struct scsi_host_template *sht);
59488 extern void ata_host_detach(struct ata_host *host);
59489 extern void ata_host_init(struct ata_host *, struct device *,
59490 - unsigned long, struct ata_port_operations *);
59491 + unsigned long, const struct ata_port_operations *);
59492 extern int ata_scsi_detect(struct scsi_host_template *sht);
59493 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
59494 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
59495 diff -urNp linux-2.6.32.43/include/linux/lockd/bind.h linux-2.6.32.43/include/linux/lockd/bind.h
59496 --- linux-2.6.32.43/include/linux/lockd/bind.h 2011-03-27 14:31:47.000000000 -0400
59497 +++ linux-2.6.32.43/include/linux/lockd/bind.h 2011-04-17 15:56:46.000000000 -0400
59498 @@ -23,13 +23,13 @@ struct svc_rqst;
59499 * This is the set of functions for lockd->nfsd communication
59501 struct nlmsvc_binding {
59502 - __be32 (*fopen)(struct svc_rqst *,
59503 + __be32 (* const fopen)(struct svc_rqst *,
59506 - void (*fclose)(struct file *);
59507 + void (* const fclose)(struct file *);
59510 -extern struct nlmsvc_binding * nlmsvc_ops;
59511 +extern const struct nlmsvc_binding * nlmsvc_ops;
59514 * Similar to nfs_client_initdata, but without the NFS-specific
59515 diff -urNp linux-2.6.32.43/include/linux/mca.h linux-2.6.32.43/include/linux/mca.h
59516 --- linux-2.6.32.43/include/linux/mca.h 2011-03-27 14:31:47.000000000 -0400
59517 +++ linux-2.6.32.43/include/linux/mca.h 2011-08-05 20:33:55.000000000 -0400
59518 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
59520 void * (*mca_transform_memory)(struct mca_device *,
59526 u64 default_dma_mask;
59527 diff -urNp linux-2.6.32.43/include/linux/memory.h linux-2.6.32.43/include/linux/memory.h
59528 --- linux-2.6.32.43/include/linux/memory.h 2011-03-27 14:31:47.000000000 -0400
59529 +++ linux-2.6.32.43/include/linux/memory.h 2011-08-05 20:33:55.000000000 -0400
59530 @@ -108,7 +108,7 @@ struct memory_accessor {
59532 ssize_t (*write)(struct memory_accessor *, const char *buf,
59533 off_t offset, size_t count);
59538 * Kernel text modification mutex, used for code patching. Users of this lock
59539 diff -urNp linux-2.6.32.43/include/linux/mm.h linux-2.6.32.43/include/linux/mm.h
59540 --- linux-2.6.32.43/include/linux/mm.h 2011-03-27 14:31:47.000000000 -0400
59541 +++ linux-2.6.32.43/include/linux/mm.h 2011-04-17 15:56:46.000000000 -0400
59542 @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
59544 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
59545 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
59547 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
59548 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
59549 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
59551 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
59554 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
59555 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
59557 @@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
59558 int set_page_dirty_lock(struct page *page);
59559 int clear_page_dirty_for_io(struct page *page);
59561 -/* Is the vma a continuation of the stack vma above it? */
59562 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
59564 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
59567 extern unsigned long move_page_tables(struct vm_area_struct *vma,
59568 unsigned long old_addr, struct vm_area_struct *new_vma,
59569 unsigned long new_addr, unsigned long len);
59570 @@ -890,6 +891,8 @@ struct shrinker {
59571 extern void register_shrinker(struct shrinker *);
59572 extern void unregister_shrinker(struct shrinker *);
59574 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
59576 int vma_wants_writenotify(struct vm_area_struct *vma);
59578 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
59579 @@ -1162,6 +1165,7 @@ out:
59582 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
59583 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
59585 extern unsigned long do_brk(unsigned long, unsigned long);
59587 @@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
59588 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
59589 struct vm_area_struct **pprev);
59591 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
59592 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
59593 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
59595 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
59596 NULL if none. Assume start_addr < end_addr. */
59597 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
59598 @@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
59599 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
59602 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
59603 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
59604 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
59605 unsigned long pfn, unsigned long size, pgprot_t);
59606 @@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
59607 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
59608 extern int sysctl_memory_failure_early_kill;
59609 extern int sysctl_memory_failure_recovery;
59610 -extern atomic_long_t mce_bad_pages;
59611 +extern atomic_long_unchecked_t mce_bad_pages;
59613 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
59614 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
59616 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
59619 #endif /* __KERNEL__ */
59620 #endif /* _LINUX_MM_H */
59621 diff -urNp linux-2.6.32.43/include/linux/mm_types.h linux-2.6.32.43/include/linux/mm_types.h
59622 --- linux-2.6.32.43/include/linux/mm_types.h 2011-03-27 14:31:47.000000000 -0400
59623 +++ linux-2.6.32.43/include/linux/mm_types.h 2011-04-17 15:56:46.000000000 -0400
59624 @@ -186,6 +186,8 @@ struct vm_area_struct {
59626 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
59629 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
59632 struct core_thread {
59633 @@ -287,6 +289,24 @@ struct mm_struct {
59634 #ifdef CONFIG_MMU_NOTIFIER
59635 struct mmu_notifier_mm *mmu_notifier_mm;
59638 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
59639 + unsigned long pax_flags;
59642 +#ifdef CONFIG_PAX_DLRESOLVE
59643 + unsigned long call_dl_resolve;
59646 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
59647 + unsigned long call_syscall;
59650 +#ifdef CONFIG_PAX_ASLR
59651 + unsigned long delta_mmap; /* randomized offset */
59652 + unsigned long delta_stack; /* randomized offset */
59657 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
59658 diff -urNp linux-2.6.32.43/include/linux/mmu_notifier.h linux-2.6.32.43/include/linux/mmu_notifier.h
59659 --- linux-2.6.32.43/include/linux/mmu_notifier.h 2011-03-27 14:31:47.000000000 -0400
59660 +++ linux-2.6.32.43/include/linux/mmu_notifier.h 2011-04-17 15:56:46.000000000 -0400
59661 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
59663 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
59667 struct vm_area_struct *___vma = __vma; \
59668 unsigned long ___address = __address; \
59669 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
59670 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
59671 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
59676 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
59677 diff -urNp linux-2.6.32.43/include/linux/mmzone.h linux-2.6.32.43/include/linux/mmzone.h
59678 --- linux-2.6.32.43/include/linux/mmzone.h 2011-03-27 14:31:47.000000000 -0400
59679 +++ linux-2.6.32.43/include/linux/mmzone.h 2011-04-17 15:56:46.000000000 -0400
59680 @@ -350,7 +350,7 @@ struct zone {
59681 unsigned long flags; /* zone flags, see below */
59683 /* Zone statistics */
59684 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59685 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
59688 * prev_priority holds the scanning priority for this zone. It is
59689 diff -urNp linux-2.6.32.43/include/linux/mod_devicetable.h linux-2.6.32.43/include/linux/mod_devicetable.h
59690 --- linux-2.6.32.43/include/linux/mod_devicetable.h 2011-03-27 14:31:47.000000000 -0400
59691 +++ linux-2.6.32.43/include/linux/mod_devicetable.h 2011-04-17 15:56:46.000000000 -0400
59693 typedef unsigned long kernel_ulong_t;
59696 -#define PCI_ANY_ID (~0)
59697 +#define PCI_ANY_ID ((__u16)~0)
59699 struct pci_device_id {
59700 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
59701 @@ -131,7 +131,7 @@ struct usb_device_id {
59702 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
59703 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
59705 -#define HID_ANY_ID (~0)
59706 +#define HID_ANY_ID (~0U)
59708 struct hid_device_id {
59710 diff -urNp linux-2.6.32.43/include/linux/module.h linux-2.6.32.43/include/linux/module.h
59711 --- linux-2.6.32.43/include/linux/module.h 2011-03-27 14:31:47.000000000 -0400
59712 +++ linux-2.6.32.43/include/linux/module.h 2011-08-05 20:33:55.000000000 -0400
59714 #include <linux/kobject.h>
59715 #include <linux/moduleparam.h>
59716 #include <linux/tracepoint.h>
59717 +#include <linux/fs.h>
59719 #include <asm/local.h>
59720 #include <asm/module.h>
59721 @@ -287,16 +288,16 @@ struct module
59724 /* If this is non-NULL, vfree after init() returns */
59725 - void *module_init;
59726 + void *module_init_rx, *module_init_rw;
59728 /* Here is the actual code + data, vfree'd on unload. */
59729 - void *module_core;
59730 + void *module_core_rx, *module_core_rw;
59732 /* Here are the sizes of the init and core sections */
59733 - unsigned int init_size, core_size;
59734 + unsigned int init_size_rw, core_size_rw;
59736 /* The size of the executable code in each section. */
59737 - unsigned int init_text_size, core_text_size;
59738 + unsigned int init_size_rx, core_size_rx;
59740 /* Arch-specific module values */
59741 struct mod_arch_specific arch;
59742 @@ -345,6 +346,10 @@ struct module
59743 #ifdef CONFIG_EVENT_TRACING
59744 struct ftrace_event_call *trace_events;
59745 unsigned int num_trace_events;
59746 + struct file_operations trace_id;
59747 + struct file_operations trace_enable;
59748 + struct file_operations trace_format;
59749 + struct file_operations trace_filter;
59751 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
59752 unsigned long *ftrace_callsites;
59753 @@ -393,16 +398,46 @@ struct module *__module_address(unsigned
59754 bool is_module_address(unsigned long addr);
59755 bool is_module_text_address(unsigned long addr);
59757 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
59760 +#ifdef CONFIG_PAX_KERNEXEC
59761 + if (ktla_ktva(addr) >= (unsigned long)start &&
59762 + ktla_ktva(addr) < (unsigned long)start + size)
59766 + return ((void *)addr >= start && (void *)addr < start + size);
59769 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
59771 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
59774 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
59776 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
59779 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
59781 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
59784 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
59786 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
59789 static inline int within_module_core(unsigned long addr, struct module *mod)
59791 - return (unsigned long)mod->module_core <= addr &&
59792 - addr < (unsigned long)mod->module_core + mod->core_size;
59793 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
59796 static inline int within_module_init(unsigned long addr, struct module *mod)
59798 - return (unsigned long)mod->module_init <= addr &&
59799 - addr < (unsigned long)mod->module_init + mod->init_size;
59800 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
59803 /* Search for module by name: must hold module_mutex. */
59804 diff -urNp linux-2.6.32.43/include/linux/moduleloader.h linux-2.6.32.43/include/linux/moduleloader.h
59805 --- linux-2.6.32.43/include/linux/moduleloader.h 2011-03-27 14:31:47.000000000 -0400
59806 +++ linux-2.6.32.43/include/linux/moduleloader.h 2011-04-17 15:56:46.000000000 -0400
59807 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
59808 sections. Returns NULL on failure. */
59809 void *module_alloc(unsigned long size);
59811 +#ifdef CONFIG_PAX_KERNEXEC
59812 +void *module_alloc_exec(unsigned long size);
59814 +#define module_alloc_exec(x) module_alloc(x)
59817 /* Free memory returned from module_alloc. */
59818 void module_free(struct module *mod, void *module_region);
59820 +#ifdef CONFIG_PAX_KERNEXEC
59821 +void module_free_exec(struct module *mod, void *module_region);
59823 +#define module_free_exec(x, y) module_free((x), (y))
59826 /* Apply the given relocation to the (simplified) ELF. Return -error
59828 int apply_relocate(Elf_Shdr *sechdrs,
59829 diff -urNp linux-2.6.32.43/include/linux/moduleparam.h linux-2.6.32.43/include/linux/moduleparam.h
59830 --- linux-2.6.32.43/include/linux/moduleparam.h 2011-03-27 14:31:47.000000000 -0400
59831 +++ linux-2.6.32.43/include/linux/moduleparam.h 2011-04-17 15:56:46.000000000 -0400
59832 @@ -132,7 +132,7 @@ struct kparam_array
59834 /* Actually copy string: maxlen param is usually sizeof(string). */
59835 #define module_param_string(name, string, len, perm) \
59836 - static const struct kparam_string __param_string_##name \
59837 + static const struct kparam_string __param_string_##name __used \
59838 = { len, string }; \
59839 __module_param_call(MODULE_PARAM_PREFIX, name, \
59840 param_set_copystring, param_get_string, \
59841 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
59843 /* Comma-separated array: *nump is set to number they actually specified. */
59844 #define module_param_array_named(name, array, type, nump, perm) \
59845 - static const struct kparam_array __param_arr_##name \
59846 + static const struct kparam_array __param_arr_##name __used \
59847 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
59848 sizeof(array[0]), array }; \
59849 __module_param_call(MODULE_PARAM_PREFIX, name, \
59850 diff -urNp linux-2.6.32.43/include/linux/mutex.h linux-2.6.32.43/include/linux/mutex.h
59851 --- linux-2.6.32.43/include/linux/mutex.h 2011-03-27 14:31:47.000000000 -0400
59852 +++ linux-2.6.32.43/include/linux/mutex.h 2011-04-17 15:56:46.000000000 -0400
59853 @@ -51,7 +51,7 @@ struct mutex {
59854 spinlock_t wait_lock;
59855 struct list_head wait_list;
59856 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
59857 - struct thread_info *owner;
59858 + struct task_struct *owner;
59860 #ifdef CONFIG_DEBUG_MUTEXES
59862 diff -urNp linux-2.6.32.43/include/linux/namei.h linux-2.6.32.43/include/linux/namei.h
59863 --- linux-2.6.32.43/include/linux/namei.h 2011-03-27 14:31:47.000000000 -0400
59864 +++ linux-2.6.32.43/include/linux/namei.h 2011-04-17 15:56:46.000000000 -0400
59865 @@ -22,7 +22,7 @@ struct nameidata {
59866 unsigned int flags;
59869 - char *saved_names[MAX_NESTED_LINKS + 1];
59870 + const char *saved_names[MAX_NESTED_LINKS + 1];
59874 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
59875 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
59876 extern void unlock_rename(struct dentry *, struct dentry *);
59878 -static inline void nd_set_link(struct nameidata *nd, char *path)
59879 +static inline void nd_set_link(struct nameidata *nd, const char *path)
59881 nd->saved_names[nd->depth] = path;
59884 -static inline char *nd_get_link(struct nameidata *nd)
59885 +static inline const char *nd_get_link(const struct nameidata *nd)
59887 return nd->saved_names[nd->depth];
59889 diff -urNp linux-2.6.32.43/include/linux/netfilter/xt_gradm.h linux-2.6.32.43/include/linux/netfilter/xt_gradm.h
59890 --- linux-2.6.32.43/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
59891 +++ linux-2.6.32.43/include/linux/netfilter/xt_gradm.h 2011-04-17 15:56:46.000000000 -0400
59893 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
59894 +#define _LINUX_NETFILTER_XT_GRADM_H 1
59896 +struct xt_gradm_mtinfo {
59902 diff -urNp linux-2.6.32.43/include/linux/nodemask.h linux-2.6.32.43/include/linux/nodemask.h
59903 --- linux-2.6.32.43/include/linux/nodemask.h 2011-03-27 14:31:47.000000000 -0400
59904 +++ linux-2.6.32.43/include/linux/nodemask.h 2011-04-17 15:56:46.000000000 -0400
59905 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
59907 #define any_online_node(mask) \
59910 - for_each_node_mask(node, (mask)) \
59911 - if (node_online(node)) \
59913 + for_each_node_mask(__node, (mask)) \
59914 + if (node_online(__node)) \
59920 #define num_online_nodes() num_node_state(N_ONLINE)
59921 diff -urNp linux-2.6.32.43/include/linux/oprofile.h linux-2.6.32.43/include/linux/oprofile.h
59922 --- linux-2.6.32.43/include/linux/oprofile.h 2011-03-27 14:31:47.000000000 -0400
59923 +++ linux-2.6.32.43/include/linux/oprofile.h 2011-04-17 15:56:46.000000000 -0400
59924 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
59925 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
59926 char const * name, ulong * val);
59928 -/** Create a file for read-only access to an atomic_t. */
59929 +/** Create a file for read-only access to an atomic_unchecked_t. */
59930 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
59931 - char const * name, atomic_t * val);
59932 + char const * name, atomic_unchecked_t * val);
59934 /** create a directory */
59935 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
59936 diff -urNp linux-2.6.32.43/include/linux/perf_event.h linux-2.6.32.43/include/linux/perf_event.h
59937 --- linux-2.6.32.43/include/linux/perf_event.h 2011-03-27 14:31:47.000000000 -0400
59938 +++ linux-2.6.32.43/include/linux/perf_event.h 2011-05-04 17:56:28.000000000 -0400
59939 @@ -476,7 +476,7 @@ struct hw_perf_event {
59940 struct hrtimer hrtimer;
59943 - atomic64_t prev_count;
59944 + atomic64_unchecked_t prev_count;
59947 atomic64_t period_left;
59948 @@ -557,7 +557,7 @@ struct perf_event {
59949 const struct pmu *pmu;
59951 enum perf_event_active_state state;
59952 - atomic64_t count;
59953 + atomic64_unchecked_t count;
59956 * These are the total time in nanoseconds that the event
59957 @@ -595,8 +595,8 @@ struct perf_event {
59958 * These accumulate total time (in nanoseconds) that children
59959 * events have been enabled and running, respectively.
59961 - atomic64_t child_total_time_enabled;
59962 - atomic64_t child_total_time_running;
59963 + atomic64_unchecked_t child_total_time_enabled;
59964 + atomic64_unchecked_t child_total_time_running;
59967 * Protect attach/detach and child_list:
59968 diff -urNp linux-2.6.32.43/include/linux/pipe_fs_i.h linux-2.6.32.43/include/linux/pipe_fs_i.h
59969 --- linux-2.6.32.43/include/linux/pipe_fs_i.h 2011-03-27 14:31:47.000000000 -0400
59970 +++ linux-2.6.32.43/include/linux/pipe_fs_i.h 2011-04-17 15:56:46.000000000 -0400
59971 @@ -46,9 +46,9 @@ struct pipe_inode_info {
59972 wait_queue_head_t wait;
59973 unsigned int nrbufs, curbuf;
59974 struct page *tmp_page;
59975 - unsigned int readers;
59976 - unsigned int writers;
59977 - unsigned int waiting_writers;
59978 + atomic_t readers;
59979 + atomic_t writers;
59980 + atomic_t waiting_writers;
59981 unsigned int r_counter;
59982 unsigned int w_counter;
59983 struct fasync_struct *fasync_readers;
59984 diff -urNp linux-2.6.32.43/include/linux/poison.h linux-2.6.32.43/include/linux/poison.h
59985 --- linux-2.6.32.43/include/linux/poison.h 2011-03-27 14:31:47.000000000 -0400
59986 +++ linux-2.6.32.43/include/linux/poison.h 2011-04-17 15:56:46.000000000 -0400
59988 * under normal circumstances, used to verify that nobody uses
59989 * non-initialized list entries.
59991 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
59992 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
59993 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
59994 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
59996 /********** include/linux/timer.h **********/
59998 diff -urNp linux-2.6.32.43/include/linux/posix-timers.h linux-2.6.32.43/include/linux/posix-timers.h
59999 --- linux-2.6.32.43/include/linux/posix-timers.h 2011-03-27 14:31:47.000000000 -0400
60000 +++ linux-2.6.32.43/include/linux/posix-timers.h 2011-08-05 20:33:55.000000000 -0400
60001 @@ -67,7 +67,7 @@ struct k_itimer {
60005 - int res; /* in nanoseconds */
60006 + const int res; /* in nanoseconds */
60007 int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
60008 int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
60009 int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
60010 diff -urNp linux-2.6.32.43/include/linux/preempt.h linux-2.6.32.43/include/linux/preempt.h
60011 --- linux-2.6.32.43/include/linux/preempt.h 2011-03-27 14:31:47.000000000 -0400
60012 +++ linux-2.6.32.43/include/linux/preempt.h 2011-08-05 20:33:55.000000000 -0400
60013 @@ -110,7 +110,7 @@ struct preempt_ops {
60014 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
60015 void (*sched_out)(struct preempt_notifier *notifier,
60016 struct task_struct *next);
60021 * preempt_notifier - key for installing preemption notifiers
60022 diff -urNp linux-2.6.32.43/include/linux/proc_fs.h linux-2.6.32.43/include/linux/proc_fs.h
60023 --- linux-2.6.32.43/include/linux/proc_fs.h 2011-03-27 14:31:47.000000000 -0400
60024 +++ linux-2.6.32.43/include/linux/proc_fs.h 2011-08-05 20:33:55.000000000 -0400
60025 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
60026 return proc_create_data(name, mode, parent, proc_fops, NULL);
60029 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
60030 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
60032 +#ifdef CONFIG_GRKERNSEC_PROC_USER
60033 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
60034 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
60035 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
60037 + return proc_create_data(name, mode, parent, proc_fops, NULL);
60042 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
60043 mode_t mode, struct proc_dir_entry *base,
60044 read_proc_t *read_proc, void * data)
60045 @@ -256,7 +269,7 @@ union proc_op {
60046 int (*proc_show)(struct seq_file *m,
60047 struct pid_namespace *ns, struct pid *pid,
60048 struct task_struct *task);
60052 struct ctl_table_header;
60054 diff -urNp linux-2.6.32.43/include/linux/ptrace.h linux-2.6.32.43/include/linux/ptrace.h
60055 --- linux-2.6.32.43/include/linux/ptrace.h 2011-03-27 14:31:47.000000000 -0400
60056 +++ linux-2.6.32.43/include/linux/ptrace.h 2011-04-17 15:56:46.000000000 -0400
60057 @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
60058 extern void exit_ptrace(struct task_struct *tracer);
60059 #define PTRACE_MODE_READ 1
60060 #define PTRACE_MODE_ATTACH 2
60061 -/* Returns 0 on success, -errno on denial. */
60062 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
60063 /* Returns true on success, false on denial. */
60064 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
60065 +/* Returns true on success, false on denial. */
60066 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
60068 static inline int ptrace_reparented(struct task_struct *child)
60070 diff -urNp linux-2.6.32.43/include/linux/random.h linux-2.6.32.43/include/linux/random.h
60071 --- linux-2.6.32.43/include/linux/random.h 2011-03-27 14:31:47.000000000 -0400
60072 +++ linux-2.6.32.43/include/linux/random.h 2011-04-17 15:56:46.000000000 -0400
60073 @@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
60074 u32 random32(void);
60075 void srandom32(u32 seed);
60077 +static inline unsigned long pax_get_random_long(void)
60079 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
60082 #endif /* __KERNEL___ */
60084 #endif /* _LINUX_RANDOM_H */
60085 diff -urNp linux-2.6.32.43/include/linux/reboot.h linux-2.6.32.43/include/linux/reboot.h
60086 --- linux-2.6.32.43/include/linux/reboot.h 2011-03-27 14:31:47.000000000 -0400
60087 +++ linux-2.6.32.43/include/linux/reboot.h 2011-05-22 23:02:06.000000000 -0400
60088 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
60089 * Architecture-specific implementations of sys_reboot commands.
60092 -extern void machine_restart(char *cmd);
60093 -extern void machine_halt(void);
60094 -extern void machine_power_off(void);
60095 +extern void machine_restart(char *cmd) __noreturn;
60096 +extern void machine_halt(void) __noreturn;
60097 +extern void machine_power_off(void) __noreturn;
60099 extern void machine_shutdown(void);
60101 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
60104 extern void kernel_restart_prepare(char *cmd);
60105 -extern void kernel_restart(char *cmd);
60106 -extern void kernel_halt(void);
60107 -extern void kernel_power_off(void);
60108 +extern void kernel_restart(char *cmd) __noreturn;
60109 +extern void kernel_halt(void) __noreturn;
60110 +extern void kernel_power_off(void) __noreturn;
60112 void ctrl_alt_del(void);
60114 @@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
60115 * Emergency restart, callable from an interrupt handler.
60118 -extern void emergency_restart(void);
60119 +extern void emergency_restart(void) __noreturn;
60120 #include <asm/emergency-restart.h>
60123 diff -urNp linux-2.6.32.43/include/linux/reiserfs_fs.h linux-2.6.32.43/include/linux/reiserfs_fs.h
60124 --- linux-2.6.32.43/include/linux/reiserfs_fs.h 2011-03-27 14:31:47.000000000 -0400
60125 +++ linux-2.6.32.43/include/linux/reiserfs_fs.h 2011-04-17 15:56:46.000000000 -0400
60126 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
60127 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
60129 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
60130 -#define get_generation(s) atomic_read (&fs_generation(s))
60131 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
60132 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
60133 #define __fs_changed(gen,s) (gen != get_generation (s))
60134 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
60135 @@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
60138 struct item_operations {
60139 - int (*bytes_number) (struct item_head * ih, int block_size);
60140 - void (*decrement_key) (struct cpu_key *);
60141 - int (*is_left_mergeable) (struct reiserfs_key * ih,
60142 + int (* const bytes_number) (struct item_head * ih, int block_size);
60143 + void (* const decrement_key) (struct cpu_key *);
60144 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
60145 unsigned long bsize);
60146 - void (*print_item) (struct item_head *, char *item);
60147 - void (*check_item) (struct item_head *, char *item);
60148 + void (* const print_item) (struct item_head *, char *item);
60149 + void (* const check_item) (struct item_head *, char *item);
60151 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
60152 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
60153 int is_affected, int insert_size);
60154 - int (*check_left) (struct virtual_item * vi, int free,
60155 + int (* const check_left) (struct virtual_item * vi, int free,
60156 int start_skip, int end_skip);
60157 - int (*check_right) (struct virtual_item * vi, int free);
60158 - int (*part_size) (struct virtual_item * vi, int from, int to);
60159 - int (*unit_num) (struct virtual_item * vi);
60160 - void (*print_vi) (struct virtual_item * vi);
60161 + int (* const check_right) (struct virtual_item * vi, int free);
60162 + int (* const part_size) (struct virtual_item * vi, int from, int to);
60163 + int (* const unit_num) (struct virtual_item * vi);
60164 + void (* const print_vi) (struct virtual_item * vi);
60167 -extern struct item_operations *item_ops[TYPE_ANY + 1];
60168 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
60170 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
60171 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
60172 diff -urNp linux-2.6.32.43/include/linux/reiserfs_fs_sb.h linux-2.6.32.43/include/linux/reiserfs_fs_sb.h
60173 --- linux-2.6.32.43/include/linux/reiserfs_fs_sb.h 2011-03-27 14:31:47.000000000 -0400
60174 +++ linux-2.6.32.43/include/linux/reiserfs_fs_sb.h 2011-04-17 15:56:46.000000000 -0400
60175 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
60176 /* Comment? -Hans */
60177 wait_queue_head_t s_wait;
60178 /* To be obsoleted soon by per buffer seals.. -Hans */
60179 - atomic_t s_generation_counter; // increased by one every time the
60180 + atomic_unchecked_t s_generation_counter; // increased by one every time the
60181 // tree gets re-balanced
60182 unsigned long s_properties; /* File system properties. Currently holds
60183 on-disk FS format */
60184 diff -urNp linux-2.6.32.43/include/linux/relay.h linux-2.6.32.43/include/linux/relay.h
60185 --- linux-2.6.32.43/include/linux/relay.h 2011-03-27 14:31:47.000000000 -0400
60186 +++ linux-2.6.32.43/include/linux/relay.h 2011-08-05 20:33:55.000000000 -0400
60187 @@ -159,7 +159,7 @@ struct rchan_callbacks
60188 * The callback should return 0 if successful, negative if not.
60190 int (*remove_buf_file)(struct dentry *dentry);
60195 * CONFIG_RELAY kernel API, kernel/relay.c
60196 diff -urNp linux-2.6.32.43/include/linux/sched.h linux-2.6.32.43/include/linux/sched.h
60197 --- linux-2.6.32.43/include/linux/sched.h 2011-03-27 14:31:47.000000000 -0400
60198 +++ linux-2.6.32.43/include/linux/sched.h 2011-08-05 20:33:55.000000000 -0400
60199 @@ -101,6 +101,7 @@ struct bio;
60201 struct bts_context;
60202 struct perf_event_context;
60203 +struct linux_binprm;
60206 * List of flags we want to share for kernel threads,
60207 @@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
60208 extern signed long schedule_timeout_uninterruptible(signed long timeout);
60209 asmlinkage void __schedule(void);
60210 asmlinkage void schedule(void);
60211 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
60212 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
60215 struct user_namespace;
60216 @@ -371,9 +372,12 @@ struct user_namespace;
60217 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
60219 extern int sysctl_max_map_count;
60220 +extern unsigned long sysctl_heap_stack_gap;
60222 #include <linux/aio.h>
60224 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
60225 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
60226 extern unsigned long
60227 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
60228 unsigned long, unsigned long);
60229 @@ -666,6 +670,16 @@ struct signal_struct {
60230 struct tty_audit_buf *tty_audit_buf;
60233 +#ifdef CONFIG_GRKERNSEC
60240 + u8 used_accept:1;
60243 int oom_adj; /* OOM kill score adjustment (bit shift) */
60246 @@ -723,6 +737,11 @@ struct user_struct {
60247 struct key *session_keyring; /* UID's default session keyring */
60250 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60251 + unsigned int banned;
60252 + unsigned long ban_expires;
60255 /* Hash table maintenance information */
60256 struct hlist_node uidhash_node;
60258 @@ -1328,8 +1347,8 @@ struct task_struct {
60259 struct list_head thread_group;
60261 struct completion *vfork_done; /* for vfork() */
60262 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
60263 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60264 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
60265 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
60267 cputime_t utime, stime, utimescaled, stimescaled;
60269 @@ -1343,16 +1362,6 @@ struct task_struct {
60270 struct task_cputime cputime_expires;
60271 struct list_head cpu_timers[3];
60273 -/* process credentials */
60274 - const struct cred *real_cred; /* objective and real subjective task
60275 - * credentials (COW) */
60276 - const struct cred *cred; /* effective (overridable) subjective task
60277 - * credentials (COW) */
60278 - struct mutex cred_guard_mutex; /* guard against foreign influences on
60279 - * credential calculations
60280 - * (notably. ptrace) */
60281 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60283 char comm[TASK_COMM_LEN]; /* executable name excluding path
60284 - access with [gs]et_task_comm (which lock
60285 it with task_lock())
60286 @@ -1369,6 +1378,10 @@ struct task_struct {
60288 /* CPU-specific state of this task */
60289 struct thread_struct thread;
60290 +/* thread_info moved to task_struct */
60292 + struct thread_info tinfo;
60294 /* filesystem information */
60295 struct fs_struct *fs;
60296 /* open file information */
60297 @@ -1436,6 +1449,15 @@ struct task_struct {
60298 int hardirq_context;
60299 int softirq_context;
60302 +/* process credentials */
60303 + const struct cred *real_cred; /* objective and real subjective task
60304 + * credentials (COW) */
60305 + struct mutex cred_guard_mutex; /* guard against foreign influences on
60306 + * credential calculations
60307 + * (notably. ptrace) */
60308 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
60310 #ifdef CONFIG_LOCKDEP
60311 # define MAX_LOCK_DEPTH 48UL
60312 u64 curr_chain_key;
60313 @@ -1456,6 +1478,9 @@ struct task_struct {
60315 struct backing_dev_info *backing_dev_info;
60317 + const struct cred *cred; /* effective (overridable) subjective task
60318 + * credentials (COW) */
60320 struct io_context *io_context;
60322 unsigned long ptrace_message;
60323 @@ -1519,6 +1544,21 @@ struct task_struct {
60324 unsigned long default_timer_slack_ns;
60326 struct list_head *scm_work_list;
60328 +#ifdef CONFIG_GRKERNSEC
60330 + struct dentry *gr_chroot_dentry;
60331 + struct acl_subject_label *acl;
60332 + struct acl_role_label *role;
60333 + struct file *exec_file;
60335 + /* is this the task that authenticated to the special role */
60339 + u8 gr_is_chrooted;
60342 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
60343 /* Index of current stored adress in ret_stack */
60344 int curr_ret_stack;
60345 @@ -1542,6 +1582,57 @@ struct task_struct {
60346 #endif /* CONFIG_TRACING */
60349 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
60350 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
60351 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
60352 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
60353 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
60354 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
60356 +#ifdef CONFIG_PAX_SOFTMODE
60357 +extern int pax_softmode;
60360 +extern int pax_check_flags(unsigned long *);
60362 +/* if tsk != current then task_lock must be held on it */
60363 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
60364 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
60366 + if (likely(tsk->mm))
60367 + return tsk->mm->pax_flags;
60372 +/* if tsk != current then task_lock must be held on it */
60373 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
60375 + if (likely(tsk->mm)) {
60376 + tsk->mm->pax_flags = flags;
60383 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
60384 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
60385 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
60386 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
60389 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
60390 +extern void pax_report_insns(void *pc, void *sp);
60391 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
60392 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
60394 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
60395 +extern void pax_track_stack(void);
60397 +static inline void pax_track_stack(void) {}
60400 /* Future-safe accessor for struct task_struct's cpus_allowed. */
60401 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
60403 @@ -1978,7 +2069,9 @@ void yield(void);
60404 extern struct exec_domain default_exec_domain;
60406 union thread_union {
60407 +#ifndef CONFIG_X86
60408 struct thread_info thread_info;
60410 unsigned long stack[THREAD_SIZE/sizeof(long)];
60413 @@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
60416 extern struct task_struct *find_task_by_vpid(pid_t nr);
60417 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
60418 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
60419 struct pid_namespace *ns);
60421 @@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
60422 extern void exit_itimers(struct signal_struct *);
60423 extern void flush_itimer_signals(void);
60425 -extern NORET_TYPE void do_group_exit(int);
60426 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
60428 extern void daemonize(const char *, ...);
60429 extern int allow_signal(int);
60430 @@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
60434 -static inline int object_is_on_stack(void *obj)
60435 +static inline int object_starts_on_stack(void *obj)
60437 - void *stack = task_stack_page(current);
60438 + const void *stack = task_stack_page(current);
60440 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
60443 +#ifdef CONFIG_PAX_USERCOPY
60444 +extern int object_is_on_stack(const void *obj, unsigned long len);
60447 extern void thread_info_cache_init(void);
60449 #ifdef CONFIG_DEBUG_STACK_USAGE
60450 diff -urNp linux-2.6.32.43/include/linux/screen_info.h linux-2.6.32.43/include/linux/screen_info.h
60451 --- linux-2.6.32.43/include/linux/screen_info.h 2011-03-27 14:31:47.000000000 -0400
60452 +++ linux-2.6.32.43/include/linux/screen_info.h 2011-04-17 15:56:46.000000000 -0400
60453 @@ -42,7 +42,8 @@ struct screen_info {
60454 __u16 pages; /* 0x32 */
60455 __u16 vesa_attributes; /* 0x34 */
60456 __u32 capabilities; /* 0x36 */
60457 - __u8 _reserved[6]; /* 0x3a */
60458 + __u16 vesapm_size; /* 0x3a */
60459 + __u8 _reserved[4]; /* 0x3c */
60460 } __attribute__((packed));
60462 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
60463 diff -urNp linux-2.6.32.43/include/linux/security.h linux-2.6.32.43/include/linux/security.h
60464 --- linux-2.6.32.43/include/linux/security.h 2011-03-27 14:31:47.000000000 -0400
60465 +++ linux-2.6.32.43/include/linux/security.h 2011-04-17 15:56:46.000000000 -0400
60467 #include <linux/key.h>
60468 #include <linux/xfrm.h>
60469 #include <linux/gfp.h>
60470 +#include <linux/grsecurity.h>
60471 #include <net/flow.h>
60473 /* Maximum number of letters for an LSM name string */
60474 diff -urNp linux-2.6.32.43/include/linux/shm.h linux-2.6.32.43/include/linux/shm.h
60475 --- linux-2.6.32.43/include/linux/shm.h 2011-03-27 14:31:47.000000000 -0400
60476 +++ linux-2.6.32.43/include/linux/shm.h 2011-04-17 15:56:46.000000000 -0400
60477 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
60480 struct user_struct *mlock_user;
60481 +#ifdef CONFIG_GRKERNSEC
60482 + time_t shm_createtime;
60487 /* shm_mode upper byte flags */
60488 diff -urNp linux-2.6.32.43/include/linux/skbuff.h linux-2.6.32.43/include/linux/skbuff.h
60489 --- linux-2.6.32.43/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400
60490 +++ linux-2.6.32.43/include/linux/skbuff.h 2011-07-06 19:53:33.000000000 -0400
60491 @@ -544,7 +544,7 @@ static inline union skb_shared_tx *skb_t
60493 static inline int skb_queue_empty(const struct sk_buff_head *list)
60495 - return list->next == (struct sk_buff *)list;
60496 + return list->next == (const struct sk_buff *)list;
60500 @@ -557,7 +557,7 @@ static inline int skb_queue_empty(const
60501 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
60502 const struct sk_buff *skb)
60504 - return (skb->next == (struct sk_buff *) list);
60505 + return (skb->next == (const struct sk_buff *) list);
60509 @@ -570,7 +570,7 @@ static inline bool skb_queue_is_last(con
60510 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
60511 const struct sk_buff *skb)
60513 - return (skb->prev == (struct sk_buff *) list);
60514 + return (skb->prev == (const struct sk_buff *) list);
60518 @@ -1367,7 +1367,7 @@ static inline int skb_network_offset(con
60519 * headroom, you should not reduce this.
60521 #ifndef NET_SKB_PAD
60522 -#define NET_SKB_PAD 32
60523 +#define NET_SKB_PAD (_AC(32,UL))
60526 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
60527 diff -urNp linux-2.6.32.43/include/linux/slab_def.h linux-2.6.32.43/include/linux/slab_def.h
60528 --- linux-2.6.32.43/include/linux/slab_def.h 2011-03-27 14:31:47.000000000 -0400
60529 +++ linux-2.6.32.43/include/linux/slab_def.h 2011-05-04 17:56:28.000000000 -0400
60530 @@ -69,10 +69,10 @@ struct kmem_cache {
60531 unsigned long node_allocs;
60532 unsigned long node_frees;
60533 unsigned long node_overflow;
60534 - atomic_t allochit;
60535 - atomic_t allocmiss;
60536 - atomic_t freehit;
60537 - atomic_t freemiss;
60538 + atomic_unchecked_t allochit;
60539 + atomic_unchecked_t allocmiss;
60540 + atomic_unchecked_t freehit;
60541 + atomic_unchecked_t freemiss;
60544 * If debugging is enabled, then the allocator can add additional
60545 diff -urNp linux-2.6.32.43/include/linux/slab.h linux-2.6.32.43/include/linux/slab.h
60546 --- linux-2.6.32.43/include/linux/slab.h 2011-03-27 14:31:47.000000000 -0400
60547 +++ linux-2.6.32.43/include/linux/slab.h 2011-04-17 15:56:46.000000000 -0400
60548 @@ -11,12 +11,20 @@
60550 #include <linux/gfp.h>
60551 #include <linux/types.h>
60552 +#include <linux/err.h>
60555 * Flags to pass to kmem_cache_create().
60556 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
60558 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
60560 +#ifdef CONFIG_PAX_USERCOPY
60561 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
60563 +#define SLAB_USERCOPY 0x00000000UL
60566 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
60567 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
60568 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
60569 @@ -82,10 +90,13 @@
60570 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
60571 * Both make kfree a no-op.
60573 -#define ZERO_SIZE_PTR ((void *)16)
60574 +#define ZERO_SIZE_PTR \
60576 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
60577 + (void *)(-MAX_ERRNO-1L); \
60580 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
60581 - (unsigned long)ZERO_SIZE_PTR)
60582 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
60585 * struct kmem_cache related prototypes
60586 @@ -138,6 +149,7 @@ void * __must_check krealloc(const void
60587 void kfree(const void *);
60588 void kzfree(const void *);
60589 size_t ksize(const void *);
60590 +void check_object_size(const void *ptr, unsigned long n, bool to);
60593 * Allocator specific definitions. These are mainly used to establish optimized
60594 @@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
60596 void __init kmem_cache_init_late(void);
60598 +#define kmalloc(x, y) \
60600 + void *___retval; \
60601 + intoverflow_t ___x = (intoverflow_t)x; \
60602 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
60603 + ___retval = NULL; \
60605 + ___retval = kmalloc((size_t)___x, (y)); \
60609 +#define kmalloc_node(x, y, z) \
60611 + void *___retval; \
60612 + intoverflow_t ___x = (intoverflow_t)x; \
60613 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
60614 + ___retval = NULL; \
60616 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
60620 +#define kzalloc(x, y) \
60622 + void *___retval; \
60623 + intoverflow_t ___x = (intoverflow_t)x; \
60624 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
60625 + ___retval = NULL; \
60627 + ___retval = kzalloc((size_t)___x, (y)); \
60631 #endif /* _LINUX_SLAB_H */
60632 diff -urNp linux-2.6.32.43/include/linux/slub_def.h linux-2.6.32.43/include/linux/slub_def.h
60633 --- linux-2.6.32.43/include/linux/slub_def.h 2011-03-27 14:31:47.000000000 -0400
60634 +++ linux-2.6.32.43/include/linux/slub_def.h 2011-08-05 20:33:55.000000000 -0400
60635 @@ -86,7 +86,7 @@ struct kmem_cache {
60636 struct kmem_cache_order_objects max;
60637 struct kmem_cache_order_objects min;
60638 gfp_t allocflags; /* gfp flags to use on each alloc */
60639 - int refcount; /* Refcount for slab cache destroy */
60640 + atomic_t refcount; /* Refcount for slab cache destroy */
60641 void (*ctor)(void *);
60642 int inuse; /* Offset to metadata */
60643 int align; /* Alignment */
60644 @@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
60647 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
60648 -void *__kmalloc(size_t size, gfp_t flags);
60649 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
60651 #ifdef CONFIG_KMEMTRACE
60652 extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
60653 diff -urNp linux-2.6.32.43/include/linux/sonet.h linux-2.6.32.43/include/linux/sonet.h
60654 --- linux-2.6.32.43/include/linux/sonet.h 2011-03-27 14:31:47.000000000 -0400
60655 +++ linux-2.6.32.43/include/linux/sonet.h 2011-04-17 15:56:46.000000000 -0400
60656 @@ -61,7 +61,7 @@ struct sonet_stats {
60657 #include <asm/atomic.h>
60659 struct k_sonet_stats {
60660 -#define __HANDLE_ITEM(i) atomic_t i
60661 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
60663 #undef __HANDLE_ITEM
60665 diff -urNp linux-2.6.32.43/include/linux/sunrpc/cache.h linux-2.6.32.43/include/linux/sunrpc/cache.h
60666 --- linux-2.6.32.43/include/linux/sunrpc/cache.h 2011-03-27 14:31:47.000000000 -0400
60667 +++ linux-2.6.32.43/include/linux/sunrpc/cache.h 2011-08-05 20:33:55.000000000 -0400
60668 @@ -125,7 +125,7 @@ struct cache_detail {
60671 struct cache_deferred_req *(*defer)(struct cache_req *req);
60674 /* this must be embedded in a deferred_request that is being
60675 * delayed awaiting cache-fill
60677 diff -urNp linux-2.6.32.43/include/linux/sunrpc/clnt.h linux-2.6.32.43/include/linux/sunrpc/clnt.h
60678 --- linux-2.6.32.43/include/linux/sunrpc/clnt.h 2011-03-27 14:31:47.000000000 -0400
60679 +++ linux-2.6.32.43/include/linux/sunrpc/clnt.h 2011-04-17 15:56:46.000000000 -0400
60680 @@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
60682 switch (sap->sa_family) {
60684 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
60685 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
60687 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
60688 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
60692 @@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
60693 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
60694 const struct sockaddr *src)
60696 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
60697 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
60698 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
60700 dsin->sin_family = ssin->sin_family;
60701 @@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
60702 if (sa->sa_family != AF_INET6)
60705 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
60706 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
60709 #endif /* __KERNEL__ */
60710 diff -urNp linux-2.6.32.43/include/linux/sunrpc/svc_rdma.h linux-2.6.32.43/include/linux/sunrpc/svc_rdma.h
60711 --- linux-2.6.32.43/include/linux/sunrpc/svc_rdma.h 2011-03-27 14:31:47.000000000 -0400
60712 +++ linux-2.6.32.43/include/linux/sunrpc/svc_rdma.h 2011-05-04 17:56:28.000000000 -0400
60713 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
60714 extern unsigned int svcrdma_max_requests;
60715 extern unsigned int svcrdma_max_req_size;
60717 -extern atomic_t rdma_stat_recv;
60718 -extern atomic_t rdma_stat_read;
60719 -extern atomic_t rdma_stat_write;
60720 -extern atomic_t rdma_stat_sq_starve;
60721 -extern atomic_t rdma_stat_rq_starve;
60722 -extern atomic_t rdma_stat_rq_poll;
60723 -extern atomic_t rdma_stat_rq_prod;
60724 -extern atomic_t rdma_stat_sq_poll;
60725 -extern atomic_t rdma_stat_sq_prod;
60726 +extern atomic_unchecked_t rdma_stat_recv;
60727 +extern atomic_unchecked_t rdma_stat_read;
60728 +extern atomic_unchecked_t rdma_stat_write;
60729 +extern atomic_unchecked_t rdma_stat_sq_starve;
60730 +extern atomic_unchecked_t rdma_stat_rq_starve;
60731 +extern atomic_unchecked_t rdma_stat_rq_poll;
60732 +extern atomic_unchecked_t rdma_stat_rq_prod;
60733 +extern atomic_unchecked_t rdma_stat_sq_poll;
60734 +extern atomic_unchecked_t rdma_stat_sq_prod;
60736 #define RPCRDMA_VERSION 1
60738 diff -urNp linux-2.6.32.43/include/linux/suspend.h linux-2.6.32.43/include/linux/suspend.h
60739 --- linux-2.6.32.43/include/linux/suspend.h 2011-03-27 14:31:47.000000000 -0400
60740 +++ linux-2.6.32.43/include/linux/suspend.h 2011-04-17 15:56:46.000000000 -0400
60741 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
60742 * which require special recovery actions in that situation.
60744 struct platform_suspend_ops {
60745 - int (*valid)(suspend_state_t state);
60746 - int (*begin)(suspend_state_t state);
60747 - int (*prepare)(void);
60748 - int (*prepare_late)(void);
60749 - int (*enter)(suspend_state_t state);
60750 - void (*wake)(void);
60751 - void (*finish)(void);
60752 - void (*end)(void);
60753 - void (*recover)(void);
60754 + int (* const valid)(suspend_state_t state);
60755 + int (* const begin)(suspend_state_t state);
60756 + int (* const prepare)(void);
60757 + int (* const prepare_late)(void);
60758 + int (* const enter)(suspend_state_t state);
60759 + void (* const wake)(void);
60760 + void (* const finish)(void);
60761 + void (* const end)(void);
60762 + void (* const recover)(void);
60765 #ifdef CONFIG_SUSPEND
60766 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
60767 * suspend_set_ops - set platform dependent suspend operations
60768 * @ops: The new suspend operations to set.
60770 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
60771 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
60772 extern int suspend_valid_only_mem(suspend_state_t state);
60775 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
60776 #else /* !CONFIG_SUSPEND */
60777 #define suspend_valid_only_mem NULL
60779 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
60780 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
60781 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
60782 #endif /* !CONFIG_SUSPEND */
60784 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
60785 * platforms which require special recovery actions in that situation.
60787 struct platform_hibernation_ops {
60788 - int (*begin)(void);
60789 - void (*end)(void);
60790 - int (*pre_snapshot)(void);
60791 - void (*finish)(void);
60792 - int (*prepare)(void);
60793 - int (*enter)(void);
60794 - void (*leave)(void);
60795 - int (*pre_restore)(void);
60796 - void (*restore_cleanup)(void);
60797 - void (*recover)(void);
60798 + int (* const begin)(void);
60799 + void (* const end)(void);
60800 + int (* const pre_snapshot)(void);
60801 + void (* const finish)(void);
60802 + int (* const prepare)(void);
60803 + int (* const enter)(void);
60804 + void (* const leave)(void);
60805 + int (* const pre_restore)(void);
60806 + void (* const restore_cleanup)(void);
60807 + void (* const recover)(void);
60810 #ifdef CONFIG_HIBERNATION
60811 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
60812 extern void swsusp_unset_page_free(struct page *);
60813 extern unsigned long get_safe_page(gfp_t gfp_mask);
60815 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
60816 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
60817 extern int hibernate(void);
60818 extern bool system_entering_hibernation(void);
60819 #else /* CONFIG_HIBERNATION */
60820 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
60821 static inline void swsusp_set_page_free(struct page *p) {}
60822 static inline void swsusp_unset_page_free(struct page *p) {}
60824 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
60825 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
60826 static inline int hibernate(void) { return -ENOSYS; }
60827 static inline bool system_entering_hibernation(void) { return false; }
60828 #endif /* CONFIG_HIBERNATION */
60829 diff -urNp linux-2.6.32.43/include/linux/sysctl.h linux-2.6.32.43/include/linux/sysctl.h
60830 --- linux-2.6.32.43/include/linux/sysctl.h 2011-03-27 14:31:47.000000000 -0400
60831 +++ linux-2.6.32.43/include/linux/sysctl.h 2011-04-17 15:56:46.000000000 -0400
60832 @@ -164,7 +164,11 @@ enum
60833 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
60837 +#ifdef CONFIG_PAX_SOFTMODE
60839 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
60843 /* CTL_VM names: */
60845 @@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
60847 extern int proc_dostring(struct ctl_table *, int,
60848 void __user *, size_t *, loff_t *);
60849 +extern int proc_dostring_modpriv(struct ctl_table *, int,
60850 + void __user *, size_t *, loff_t *);
60851 extern int proc_dointvec(struct ctl_table *, int,
60852 void __user *, size_t *, loff_t *);
60853 extern int proc_dointvec_minmax(struct ctl_table *, int,
60854 @@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
60856 extern ctl_handler sysctl_data;
60857 extern ctl_handler sysctl_string;
60858 +extern ctl_handler sysctl_string_modpriv;
60859 extern ctl_handler sysctl_intvec;
60860 extern ctl_handler sysctl_jiffies;
60861 extern ctl_handler sysctl_ms_jiffies;
60862 diff -urNp linux-2.6.32.43/include/linux/sysfs.h linux-2.6.32.43/include/linux/sysfs.h
60863 --- linux-2.6.32.43/include/linux/sysfs.h 2011-03-27 14:31:47.000000000 -0400
60864 +++ linux-2.6.32.43/include/linux/sysfs.h 2011-04-17 15:56:46.000000000 -0400
60865 @@ -75,8 +75,8 @@ struct bin_attribute {
60869 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
60870 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
60871 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
60872 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
60875 struct sysfs_dirent;
60876 diff -urNp linux-2.6.32.43/include/linux/thread_info.h linux-2.6.32.43/include/linux/thread_info.h
60877 --- linux-2.6.32.43/include/linux/thread_info.h 2011-03-27 14:31:47.000000000 -0400
60878 +++ linux-2.6.32.43/include/linux/thread_info.h 2011-04-17 15:56:46.000000000 -0400
60879 @@ -23,7 +23,7 @@ struct restart_block {
60881 /* For futex_wait and futex_wait_requeue_pi */
60884 + u32 __user *uaddr;
60888 diff -urNp linux-2.6.32.43/include/linux/tty.h linux-2.6.32.43/include/linux/tty.h
60889 --- linux-2.6.32.43/include/linux/tty.h 2011-03-27 14:31:47.000000000 -0400
60890 +++ linux-2.6.32.43/include/linux/tty.h 2011-08-05 20:33:55.000000000 -0400
60891 @@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
60892 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
60893 extern void tty_ldisc_enable(struct tty_struct *tty);
60897 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
60899 diff -urNp linux-2.6.32.43/include/linux/tty_ldisc.h linux-2.6.32.43/include/linux/tty_ldisc.h
60900 --- linux-2.6.32.43/include/linux/tty_ldisc.h 2011-03-27 14:31:47.000000000 -0400
60901 +++ linux-2.6.32.43/include/linux/tty_ldisc.h 2011-04-17 15:56:46.000000000 -0400
60902 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
60904 struct module *owner;
60907 + atomic_t refcount;
60911 diff -urNp linux-2.6.32.43/include/linux/types.h linux-2.6.32.43/include/linux/types.h
60912 --- linux-2.6.32.43/include/linux/types.h 2011-03-27 14:31:47.000000000 -0400
60913 +++ linux-2.6.32.43/include/linux/types.h 2011-04-17 15:56:46.000000000 -0400
60914 @@ -191,10 +191,26 @@ typedef struct {
60915 volatile int counter;
60918 +#ifdef CONFIG_PAX_REFCOUNT
60920 + volatile int counter;
60921 +} atomic_unchecked_t;
60923 +typedef atomic_t atomic_unchecked_t;
60926 #ifdef CONFIG_64BIT
60928 volatile long counter;
60931 +#ifdef CONFIG_PAX_REFCOUNT
60933 + volatile long counter;
60934 +} atomic64_unchecked_t;
60936 +typedef atomic64_t atomic64_unchecked_t;
60941 diff -urNp linux-2.6.32.43/include/linux/uaccess.h linux-2.6.32.43/include/linux/uaccess.h
60942 --- linux-2.6.32.43/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400
60943 +++ linux-2.6.32.43/include/linux/uaccess.h 2011-04-17 15:56:46.000000000 -0400
60944 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
60946 mm_segment_t old_fs = get_fs(); \
60948 - set_fs(KERNEL_DS); \
60949 pagefault_disable(); \
60950 + set_fs(KERNEL_DS); \
60951 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
60952 - pagefault_enable(); \
60954 + pagefault_enable(); \
60958 @@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
60959 * Safely read from address @src to the buffer at @dst. If a kernel fault
60960 * happens, handle that and return -EFAULT.
60962 -extern long probe_kernel_read(void *dst, void *src, size_t size);
60963 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
60966 * probe_kernel_write(): safely attempt to write to a location
60967 @@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
60968 * Safely write to address @dst from the buffer at @src. If a kernel fault
60969 * happens, handle that and return -EFAULT.
60971 -extern long probe_kernel_write(void *dst, void *src, size_t size);
60972 +extern long probe_kernel_write(void *dst, const void *src, size_t size);
60974 #endif /* __LINUX_UACCESS_H__ */
60975 diff -urNp linux-2.6.32.43/include/linux/unaligned/access_ok.h linux-2.6.32.43/include/linux/unaligned/access_ok.h
60976 --- linux-2.6.32.43/include/linux/unaligned/access_ok.h 2011-03-27 14:31:47.000000000 -0400
60977 +++ linux-2.6.32.43/include/linux/unaligned/access_ok.h 2011-04-17 15:56:46.000000000 -0400
60980 static inline u16 get_unaligned_le16(const void *p)
60982 - return le16_to_cpup((__le16 *)p);
60983 + return le16_to_cpup((const __le16 *)p);
60986 static inline u32 get_unaligned_le32(const void *p)
60988 - return le32_to_cpup((__le32 *)p);
60989 + return le32_to_cpup((const __le32 *)p);
60992 static inline u64 get_unaligned_le64(const void *p)
60994 - return le64_to_cpup((__le64 *)p);
60995 + return le64_to_cpup((const __le64 *)p);
60998 static inline u16 get_unaligned_be16(const void *p)
61000 - return be16_to_cpup((__be16 *)p);
61001 + return be16_to_cpup((const __be16 *)p);
61004 static inline u32 get_unaligned_be32(const void *p)
61006 - return be32_to_cpup((__be32 *)p);
61007 + return be32_to_cpup((const __be32 *)p);
61010 static inline u64 get_unaligned_be64(const void *p)
61012 - return be64_to_cpup((__be64 *)p);
61013 + return be64_to_cpup((const __be64 *)p);
61016 static inline void put_unaligned_le16(u16 val, void *p)
61017 diff -urNp linux-2.6.32.43/include/linux/vmalloc.h linux-2.6.32.43/include/linux/vmalloc.h
61018 --- linux-2.6.32.43/include/linux/vmalloc.h 2011-03-27 14:31:47.000000000 -0400
61019 +++ linux-2.6.32.43/include/linux/vmalloc.h 2011-04-17 15:56:46.000000000 -0400
61020 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
61021 #define VM_MAP 0x00000004 /* vmap()ed pages */
61022 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
61023 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
61025 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
61026 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
61029 /* bits [20..32] reserved for arch specific ioremap internals */
61032 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
61034 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
61036 +#define vmalloc(x) \
61038 + void *___retval; \
61039 + intoverflow_t ___x = (intoverflow_t)x; \
61040 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
61041 + ___retval = NULL; \
61043 + ___retval = vmalloc((unsigned long)___x); \
61047 +#define __vmalloc(x, y, z) \
61049 + void *___retval; \
61050 + intoverflow_t ___x = (intoverflow_t)x; \
61051 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
61052 + ___retval = NULL; \
61054 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
61058 +#define vmalloc_user(x) \
61060 + void *___retval; \
61061 + intoverflow_t ___x = (intoverflow_t)x; \
61062 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
61063 + ___retval = NULL; \
61065 + ___retval = vmalloc_user((unsigned long)___x); \
61069 +#define vmalloc_exec(x) \
61071 + void *___retval; \
61072 + intoverflow_t ___x = (intoverflow_t)x; \
61073 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
61074 + ___retval = NULL; \
61076 + ___retval = vmalloc_exec((unsigned long)___x); \
61080 +#define vmalloc_node(x, y) \
61082 + void *___retval; \
61083 + intoverflow_t ___x = (intoverflow_t)x; \
61084 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
61085 + ___retval = NULL; \
61087 + ___retval = vmalloc_node((unsigned long)___x, (y));\
61091 +#define vmalloc_32(x) \
61093 + void *___retval; \
61094 + intoverflow_t ___x = (intoverflow_t)x; \
61095 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
61096 + ___retval = NULL; \
61098 + ___retval = vmalloc_32((unsigned long)___x); \
61102 +#define vmalloc_32_user(x) \
61104 + void *___retval; \
61105 + intoverflow_t ___x = (intoverflow_t)x; \
61106 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
61107 + ___retval = NULL; \
61109 + ___retval = vmalloc_32_user((unsigned long)___x);\
61113 #endif /* _LINUX_VMALLOC_H */
61114 diff -urNp linux-2.6.32.43/include/linux/vmstat.h linux-2.6.32.43/include/linux/vmstat.h
61115 --- linux-2.6.32.43/include/linux/vmstat.h 2011-03-27 14:31:47.000000000 -0400
61116 +++ linux-2.6.32.43/include/linux/vmstat.h 2011-04-17 15:56:46.000000000 -0400
61117 @@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
61119 * Zone based page accounting with per cpu differentials.
61121 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
61122 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
61124 static inline void zone_page_state_add(long x, struct zone *zone,
61125 enum zone_stat_item item)
61127 - atomic_long_add(x, &zone->vm_stat[item]);
61128 - atomic_long_add(x, &vm_stat[item]);
61129 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
61130 + atomic_long_add_unchecked(x, &vm_stat[item]);
61133 static inline unsigned long global_page_state(enum zone_stat_item item)
61135 - long x = atomic_long_read(&vm_stat[item]);
61136 + long x = atomic_long_read_unchecked(&vm_stat[item]);
61140 @@ -158,7 +158,7 @@ static inline unsigned long global_page_
61141 static inline unsigned long zone_page_state(struct zone *zone,
61142 enum zone_stat_item item)
61144 - long x = atomic_long_read(&zone->vm_stat[item]);
61145 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61149 @@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
61150 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
61151 enum zone_stat_item item)
61153 - long x = atomic_long_read(&zone->vm_stat[item]);
61154 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
61158 @@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
61160 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
61162 - atomic_long_inc(&zone->vm_stat[item]);
61163 - atomic_long_inc(&vm_stat[item]);
61164 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
61165 + atomic_long_inc_unchecked(&vm_stat[item]);
61168 static inline void __inc_zone_page_state(struct page *page,
61169 @@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
61171 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
61173 - atomic_long_dec(&zone->vm_stat[item]);
61174 - atomic_long_dec(&vm_stat[item]);
61175 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
61176 + atomic_long_dec_unchecked(&vm_stat[item]);
61179 static inline void __dec_zone_page_state(struct page *page,
61180 diff -urNp linux-2.6.32.43/include/media/v4l2-dev.h linux-2.6.32.43/include/media/v4l2-dev.h
61181 --- linux-2.6.32.43/include/media/v4l2-dev.h 2011-03-27 14:31:47.000000000 -0400
61182 +++ linux-2.6.32.43/include/media/v4l2-dev.h 2011-08-05 20:33:55.000000000 -0400
61183 @@ -34,7 +34,7 @@ struct v4l2_device;
61184 #define V4L2_FL_UNREGISTERED (0)
61186 struct v4l2_file_operations {
61187 - struct module *owner;
61188 + struct module * const owner;
61189 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
61190 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
61191 unsigned int (*poll) (struct file *, struct poll_table_struct *);
61192 diff -urNp linux-2.6.32.43/include/media/v4l2-device.h linux-2.6.32.43/include/media/v4l2-device.h
61193 --- linux-2.6.32.43/include/media/v4l2-device.h 2011-03-27 14:31:47.000000000 -0400
61194 +++ linux-2.6.32.43/include/media/v4l2-device.h 2011-05-04 17:56:28.000000000 -0400
61195 @@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
61196 this function returns 0. If the name ends with a digit (e.g. cx18),
61197 then the name will be set to cx18-0 since cx180 looks really odd. */
61198 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
61199 - atomic_t *instance);
61200 + atomic_unchecked_t *instance);
61202 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
61203 Since the parent disappears this ensures that v4l2_dev doesn't have an
61204 diff -urNp linux-2.6.32.43/include/net/flow.h linux-2.6.32.43/include/net/flow.h
61205 --- linux-2.6.32.43/include/net/flow.h 2011-03-27 14:31:47.000000000 -0400
61206 +++ linux-2.6.32.43/include/net/flow.h 2011-05-04 17:56:28.000000000 -0400
61207 @@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
61208 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
61209 u8 dir, flow_resolve_t resolver);
61210 extern void flow_cache_flush(void);
61211 -extern atomic_t flow_cache_genid;
61212 +extern atomic_unchecked_t flow_cache_genid;
61214 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
61216 diff -urNp linux-2.6.32.43/include/net/inetpeer.h linux-2.6.32.43/include/net/inetpeer.h
61217 --- linux-2.6.32.43/include/net/inetpeer.h 2011-03-27 14:31:47.000000000 -0400
61218 +++ linux-2.6.32.43/include/net/inetpeer.h 2011-04-17 15:56:46.000000000 -0400
61219 @@ -24,7 +24,7 @@ struct inet_peer
61220 __u32 dtime; /* the time of last use of not
61221 * referenced entries */
61223 - atomic_t rid; /* Frag reception counter */
61224 + atomic_unchecked_t rid; /* Frag reception counter */
61226 unsigned long tcp_ts_stamp;
61228 diff -urNp linux-2.6.32.43/include/net/ip_vs.h linux-2.6.32.43/include/net/ip_vs.h
61229 --- linux-2.6.32.43/include/net/ip_vs.h 2011-03-27 14:31:47.000000000 -0400
61230 +++ linux-2.6.32.43/include/net/ip_vs.h 2011-05-04 17:56:28.000000000 -0400
61231 @@ -365,7 +365,7 @@ struct ip_vs_conn {
61232 struct ip_vs_conn *control; /* Master control connection */
61233 atomic_t n_control; /* Number of controlled ones */
61234 struct ip_vs_dest *dest; /* real server */
61235 - atomic_t in_pkts; /* incoming packet counter */
61236 + atomic_unchecked_t in_pkts; /* incoming packet counter */
61238 /* packet transmitter for different forwarding methods. If it
61239 mangles the packet, it must return NF_DROP or better NF_STOLEN,
61240 @@ -466,7 +466,7 @@ struct ip_vs_dest {
61241 union nf_inet_addr addr; /* IP address of the server */
61242 __be16 port; /* port number of the server */
61243 volatile unsigned flags; /* dest status flags */
61244 - atomic_t conn_flags; /* flags to copy to conn */
61245 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
61246 atomic_t weight; /* server weight */
61248 atomic_t refcnt; /* reference counter */
61249 diff -urNp linux-2.6.32.43/include/net/irda/ircomm_core.h linux-2.6.32.43/include/net/irda/ircomm_core.h
61250 --- linux-2.6.32.43/include/net/irda/ircomm_core.h 2011-03-27 14:31:47.000000000 -0400
61251 +++ linux-2.6.32.43/include/net/irda/ircomm_core.h 2011-08-05 20:33:55.000000000 -0400
61252 @@ -51,7 +51,7 @@ typedef struct {
61253 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
61254 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
61255 struct ircomm_info *);
61257 +} __no_const call_t;
61260 irda_queue_t queue;
61261 diff -urNp linux-2.6.32.43/include/net/irda/ircomm_tty.h linux-2.6.32.43/include/net/irda/ircomm_tty.h
61262 --- linux-2.6.32.43/include/net/irda/ircomm_tty.h 2011-03-27 14:31:47.000000000 -0400
61263 +++ linux-2.6.32.43/include/net/irda/ircomm_tty.h 2011-04-17 15:56:46.000000000 -0400
61265 #include <linux/termios.h>
61266 #include <linux/timer.h>
61267 #include <linux/tty.h> /* struct tty_struct */
61268 +#include <asm/local.h>
61270 #include <net/irda/irias_object.h>
61271 #include <net/irda/ircomm_core.h>
61272 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
61273 unsigned short close_delay;
61274 unsigned short closing_wait; /* time to wait before closing */
61277 - int blocked_open; /* # of blocked opens */
61278 + local_t open_count;
61279 + local_t blocked_open; /* # of blocked opens */
61281 /* Protect concurent access to :
61282 * o self->open_count
61283 diff -urNp linux-2.6.32.43/include/net/iucv/af_iucv.h linux-2.6.32.43/include/net/iucv/af_iucv.h
61284 --- linux-2.6.32.43/include/net/iucv/af_iucv.h 2011-03-27 14:31:47.000000000 -0400
61285 +++ linux-2.6.32.43/include/net/iucv/af_iucv.h 2011-05-04 17:56:28.000000000 -0400
61286 @@ -87,7 +87,7 @@ struct iucv_sock {
61287 struct iucv_sock_list {
61288 struct hlist_head head;
61290 - atomic_t autobind_name;
61291 + atomic_unchecked_t autobind_name;
61294 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
61295 diff -urNp linux-2.6.32.43/include/net/lapb.h linux-2.6.32.43/include/net/lapb.h
61296 --- linux-2.6.32.43/include/net/lapb.h 2011-03-27 14:31:47.000000000 -0400
61297 +++ linux-2.6.32.43/include/net/lapb.h 2011-08-05 20:33:55.000000000 -0400
61298 @@ -95,7 +95,7 @@ struct lapb_cb {
61299 struct sk_buff_head write_queue;
61300 struct sk_buff_head ack_queue;
61301 unsigned char window;
61302 - struct lapb_register_struct callbacks;
61303 + struct lapb_register_struct *callbacks;
61305 /* FRMR control information */
61306 struct lapb_frame frmr_data;
61307 diff -urNp linux-2.6.32.43/include/net/neighbour.h linux-2.6.32.43/include/net/neighbour.h
61308 --- linux-2.6.32.43/include/net/neighbour.h 2011-03-27 14:31:47.000000000 -0400
61309 +++ linux-2.6.32.43/include/net/neighbour.h 2011-04-17 15:56:46.000000000 -0400
61310 @@ -125,12 +125,12 @@ struct neighbour
61314 - void (*solicit)(struct neighbour *, struct sk_buff*);
61315 - void (*error_report)(struct neighbour *, struct sk_buff*);
61316 - int (*output)(struct sk_buff*);
61317 - int (*connected_output)(struct sk_buff*);
61318 - int (*hh_output)(struct sk_buff*);
61319 - int (*queue_xmit)(struct sk_buff*);
61320 + void (* const solicit)(struct neighbour *, struct sk_buff*);
61321 + void (* const error_report)(struct neighbour *, struct sk_buff*);
61322 + int (* const output)(struct sk_buff*);
61323 + int (* const connected_output)(struct sk_buff*);
61324 + int (* const hh_output)(struct sk_buff*);
61325 + int (* const queue_xmit)(struct sk_buff*);
61328 struct pneigh_entry
61329 diff -urNp linux-2.6.32.43/include/net/netlink.h linux-2.6.32.43/include/net/netlink.h
61330 --- linux-2.6.32.43/include/net/netlink.h 2011-07-13 17:23:04.000000000 -0400
61331 +++ linux-2.6.32.43/include/net/netlink.h 2011-07-13 17:23:19.000000000 -0400
61332 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
61333 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
61336 - skb_trim(skb, (unsigned char *) mark - skb->data);
61337 + skb_trim(skb, (const unsigned char *) mark - skb->data);
61341 diff -urNp linux-2.6.32.43/include/net/netns/ipv4.h linux-2.6.32.43/include/net/netns/ipv4.h
61342 --- linux-2.6.32.43/include/net/netns/ipv4.h 2011-03-27 14:31:47.000000000 -0400
61343 +++ linux-2.6.32.43/include/net/netns/ipv4.h 2011-05-04 17:56:28.000000000 -0400
61344 @@ -54,7 +54,7 @@ struct netns_ipv4 {
61345 int current_rt_cache_rebuild_count;
61347 struct timer_list rt_secret_timer;
61348 - atomic_t rt_genid;
61349 + atomic_unchecked_t rt_genid;
61351 #ifdef CONFIG_IP_MROUTE
61352 struct sock *mroute_sk;
61353 diff -urNp linux-2.6.32.43/include/net/sctp/sctp.h linux-2.6.32.43/include/net/sctp/sctp.h
61354 --- linux-2.6.32.43/include/net/sctp/sctp.h 2011-03-27 14:31:47.000000000 -0400
61355 +++ linux-2.6.32.43/include/net/sctp/sctp.h 2011-04-17 15:56:46.000000000 -0400
61356 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
61358 #else /* SCTP_DEBUG */
61360 -#define SCTP_DEBUG_PRINTK(whatever...)
61361 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
61362 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
61363 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
61364 #define SCTP_ENABLE_DEBUG
61365 #define SCTP_DISABLE_DEBUG
61366 #define SCTP_ASSERT(expr, str, func)
61367 diff -urNp linux-2.6.32.43/include/net/sock.h linux-2.6.32.43/include/net/sock.h
61368 --- linux-2.6.32.43/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400
61369 +++ linux-2.6.32.43/include/net/sock.h 2011-05-04 17:56:28.000000000 -0400
61370 @@ -272,7 +272,7 @@ struct sock {
61371 rwlock_t sk_callback_lock;
61374 - atomic_t sk_drops;
61375 + atomic_unchecked_t sk_drops;
61376 unsigned short sk_ack_backlog;
61377 unsigned short sk_max_ack_backlog;
61379 diff -urNp linux-2.6.32.43/include/net/tcp.h linux-2.6.32.43/include/net/tcp.h
61380 --- linux-2.6.32.43/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400
61381 +++ linux-2.6.32.43/include/net/tcp.h 2011-04-17 15:56:46.000000000 -0400
61382 @@ -1444,6 +1444,7 @@ enum tcp_seq_states {
61383 struct tcp_seq_afinfo {
61385 sa_family_t family;
61386 + /* cannot be const */
61387 struct file_operations seq_fops;
61388 struct seq_operations seq_ops;
61390 diff -urNp linux-2.6.32.43/include/net/udp.h linux-2.6.32.43/include/net/udp.h
61391 --- linux-2.6.32.43/include/net/udp.h 2011-03-27 14:31:47.000000000 -0400
61392 +++ linux-2.6.32.43/include/net/udp.h 2011-04-17 15:56:46.000000000 -0400
61393 @@ -187,6 +187,7 @@ struct udp_seq_afinfo {
61395 sa_family_t family;
61396 struct udp_table *udp_table;
61397 + /* cannot be const */
61398 struct file_operations seq_fops;
61399 struct seq_operations seq_ops;
61401 diff -urNp linux-2.6.32.43/include/rdma/iw_cm.h linux-2.6.32.43/include/rdma/iw_cm.h
61402 --- linux-2.6.32.43/include/rdma/iw_cm.h 2011-03-27 14:31:47.000000000 -0400
61403 +++ linux-2.6.32.43/include/rdma/iw_cm.h 2011-08-05 20:33:55.000000000 -0400
61404 @@ -129,7 +129,7 @@ struct iw_cm_verbs {
61407 int (*destroy_listen)(struct iw_cm_id *cm_id);
61412 * iw_create_cm_id - Create an IW CM identifier.
61413 diff -urNp linux-2.6.32.43/include/scsi/scsi_device.h linux-2.6.32.43/include/scsi/scsi_device.h
61414 --- linux-2.6.32.43/include/scsi/scsi_device.h 2011-04-17 17:00:52.000000000 -0400
61415 +++ linux-2.6.32.43/include/scsi/scsi_device.h 2011-05-04 17:56:28.000000000 -0400
61416 @@ -156,9 +156,9 @@ struct scsi_device {
61417 unsigned int max_device_blocked; /* what device_blocked counts down from */
61418 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
61420 - atomic_t iorequest_cnt;
61421 - atomic_t iodone_cnt;
61422 - atomic_t ioerr_cnt;
61423 + atomic_unchecked_t iorequest_cnt;
61424 + atomic_unchecked_t iodone_cnt;
61425 + atomic_unchecked_t ioerr_cnt;
61427 struct device sdev_gendev,
61429 diff -urNp linux-2.6.32.43/include/scsi/scsi_transport_fc.h linux-2.6.32.43/include/scsi/scsi_transport_fc.h
61430 --- linux-2.6.32.43/include/scsi/scsi_transport_fc.h 2011-03-27 14:31:47.000000000 -0400
61431 +++ linux-2.6.32.43/include/scsi/scsi_transport_fc.h 2011-08-05 20:33:55.000000000 -0400
61432 @@ -663,9 +663,9 @@ struct fc_function_template {
61433 int (*bsg_timeout)(struct fc_bsg_job *);
61435 /* allocation lengths for host-specific data */
61436 - u32 dd_fcrport_size;
61437 - u32 dd_fcvport_size;
61439 + const u32 dd_fcrport_size;
61440 + const u32 dd_fcvport_size;
61441 + const u32 dd_bsg_size;
61444 * The driver sets these to tell the transport class it
61445 @@ -675,39 +675,39 @@ struct fc_function_template {
61448 /* remote port fixed attributes */
61449 - unsigned long show_rport_maxframe_size:1;
61450 - unsigned long show_rport_supported_classes:1;
61451 - unsigned long show_rport_dev_loss_tmo:1;
61452 + const unsigned long show_rport_maxframe_size:1;
61453 + const unsigned long show_rport_supported_classes:1;
61454 + const unsigned long show_rport_dev_loss_tmo:1;
61457 * target dynamic attributes
61458 * These should all be "1" if the driver uses the remote port
61459 * add/delete functions (so attributes reflect rport values).
61461 - unsigned long show_starget_node_name:1;
61462 - unsigned long show_starget_port_name:1;
61463 - unsigned long show_starget_port_id:1;
61464 + const unsigned long show_starget_node_name:1;
61465 + const unsigned long show_starget_port_name:1;
61466 + const unsigned long show_starget_port_id:1;
61468 /* host fixed attributes */
61469 - unsigned long show_host_node_name:1;
61470 - unsigned long show_host_port_name:1;
61471 - unsigned long show_host_permanent_port_name:1;
61472 - unsigned long show_host_supported_classes:1;
61473 - unsigned long show_host_supported_fc4s:1;
61474 - unsigned long show_host_supported_speeds:1;
61475 - unsigned long show_host_maxframe_size:1;
61476 - unsigned long show_host_serial_number:1;
61477 + const unsigned long show_host_node_name:1;
61478 + const unsigned long show_host_port_name:1;
61479 + const unsigned long show_host_permanent_port_name:1;
61480 + const unsigned long show_host_supported_classes:1;
61481 + const unsigned long show_host_supported_fc4s:1;
61482 + const unsigned long show_host_supported_speeds:1;
61483 + const unsigned long show_host_maxframe_size:1;
61484 + const unsigned long show_host_serial_number:1;
61485 /* host dynamic attributes */
61486 - unsigned long show_host_port_id:1;
61487 - unsigned long show_host_port_type:1;
61488 - unsigned long show_host_port_state:1;
61489 - unsigned long show_host_active_fc4s:1;
61490 - unsigned long show_host_speed:1;
61491 - unsigned long show_host_fabric_name:1;
61492 - unsigned long show_host_symbolic_name:1;
61493 - unsigned long show_host_system_hostname:1;
61494 + const unsigned long show_host_port_id:1;
61495 + const unsigned long show_host_port_type:1;
61496 + const unsigned long show_host_port_state:1;
61497 + const unsigned long show_host_active_fc4s:1;
61498 + const unsigned long show_host_speed:1;
61499 + const unsigned long show_host_fabric_name:1;
61500 + const unsigned long show_host_symbolic_name:1;
61501 + const unsigned long show_host_system_hostname:1;
61503 - unsigned long disable_target_scan:1;
61504 + const unsigned long disable_target_scan:1;
61508 diff -urNp linux-2.6.32.43/include/sound/ac97_codec.h linux-2.6.32.43/include/sound/ac97_codec.h
61509 --- linux-2.6.32.43/include/sound/ac97_codec.h 2011-03-27 14:31:47.000000000 -0400
61510 +++ linux-2.6.32.43/include/sound/ac97_codec.h 2011-04-17 15:56:46.000000000 -0400
61511 @@ -419,15 +419,15 @@
61514 struct snd_ac97_build_ops {
61515 - int (*build_3d) (struct snd_ac97 *ac97);
61516 - int (*build_specific) (struct snd_ac97 *ac97);
61517 - int (*build_spdif) (struct snd_ac97 *ac97);
61518 - int (*build_post_spdif) (struct snd_ac97 *ac97);
61519 + int (* const build_3d) (struct snd_ac97 *ac97);
61520 + int (* const build_specific) (struct snd_ac97 *ac97);
61521 + int (* const build_spdif) (struct snd_ac97 *ac97);
61522 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
61524 - void (*suspend) (struct snd_ac97 *ac97);
61525 - void (*resume) (struct snd_ac97 *ac97);
61526 + void (* const suspend) (struct snd_ac97 *ac97);
61527 + void (* const resume) (struct snd_ac97 *ac97);
61529 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
61530 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
61533 struct snd_ac97_bus_ops {
61534 @@ -477,7 +477,7 @@ struct snd_ac97_template {
61537 /* -- lowlevel (hardware) driver specific -- */
61538 - struct snd_ac97_build_ops * build_ops;
61539 + const struct snd_ac97_build_ops * build_ops;
61540 void *private_data;
61541 void (*private_free) (struct snd_ac97 *ac97);
61543 diff -urNp linux-2.6.32.43/include/sound/ak4xxx-adda.h linux-2.6.32.43/include/sound/ak4xxx-adda.h
61544 --- linux-2.6.32.43/include/sound/ak4xxx-adda.h 2011-03-27 14:31:47.000000000 -0400
61545 +++ linux-2.6.32.43/include/sound/ak4xxx-adda.h 2011-08-05 20:33:55.000000000 -0400
61546 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
61547 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
61548 unsigned char val);
61549 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
61553 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
61555 diff -urNp linux-2.6.32.43/include/sound/hwdep.h linux-2.6.32.43/include/sound/hwdep.h
61556 --- linux-2.6.32.43/include/sound/hwdep.h 2011-03-27 14:31:47.000000000 -0400
61557 +++ linux-2.6.32.43/include/sound/hwdep.h 2011-08-05 20:33:55.000000000 -0400
61558 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
61559 struct snd_hwdep_dsp_status *status);
61560 int (*dsp_load)(struct snd_hwdep *hw,
61561 struct snd_hwdep_dsp_image *image);
61566 struct snd_card *card;
61567 diff -urNp linux-2.6.32.43/include/sound/info.h linux-2.6.32.43/include/sound/info.h
61568 --- linux-2.6.32.43/include/sound/info.h 2011-03-27 14:31:47.000000000 -0400
61569 +++ linux-2.6.32.43/include/sound/info.h 2011-08-05 20:33:55.000000000 -0400
61570 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
61571 struct snd_info_buffer *buffer);
61572 void (*write)(struct snd_info_entry *entry,
61573 struct snd_info_buffer *buffer);
61577 struct snd_info_entry_ops {
61578 int (*open)(struct snd_info_entry *entry,
61579 diff -urNp linux-2.6.32.43/include/sound/sb16_csp.h linux-2.6.32.43/include/sound/sb16_csp.h
61580 --- linux-2.6.32.43/include/sound/sb16_csp.h 2011-03-27 14:31:47.000000000 -0400
61581 +++ linux-2.6.32.43/include/sound/sb16_csp.h 2011-08-05 20:33:55.000000000 -0400
61582 @@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
61583 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
61584 int (*csp_stop) (struct snd_sb_csp * p);
61585 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
61591 diff -urNp linux-2.6.32.43/include/sound/ymfpci.h linux-2.6.32.43/include/sound/ymfpci.h
61592 --- linux-2.6.32.43/include/sound/ymfpci.h 2011-03-27 14:31:47.000000000 -0400
61593 +++ linux-2.6.32.43/include/sound/ymfpci.h 2011-05-04 17:56:28.000000000 -0400
61594 @@ -358,7 +358,7 @@ struct snd_ymfpci {
61595 spinlock_t reg_lock;
61596 spinlock_t voice_lock;
61597 wait_queue_head_t interrupt_sleep;
61598 - atomic_t interrupt_sleep_count;
61599 + atomic_unchecked_t interrupt_sleep_count;
61600 struct snd_info_entry *proc_entry;
61601 const struct firmware *dsp_microcode;
61602 const struct firmware *controller_microcode;
61603 diff -urNp linux-2.6.32.43/include/trace/events/irq.h linux-2.6.32.43/include/trace/events/irq.h
61604 --- linux-2.6.32.43/include/trace/events/irq.h 2011-03-27 14:31:47.000000000 -0400
61605 +++ linux-2.6.32.43/include/trace/events/irq.h 2011-04-17 15:56:46.000000000 -0400
61608 TRACE_EVENT(irq_handler_entry,
61610 - TP_PROTO(int irq, struct irqaction *action),
61611 + TP_PROTO(int irq, const struct irqaction *action),
61613 TP_ARGS(irq, action),
61615 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
61617 TRACE_EVENT(irq_handler_exit,
61619 - TP_PROTO(int irq, struct irqaction *action, int ret),
61620 + TP_PROTO(int irq, const struct irqaction *action, int ret),
61622 TP_ARGS(irq, action, ret),
61624 @@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
61626 TRACE_EVENT(softirq_entry,
61628 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
61629 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
61633 @@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
61635 TRACE_EVENT(softirq_exit,
61637 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
61638 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
61642 diff -urNp linux-2.6.32.43/include/video/uvesafb.h linux-2.6.32.43/include/video/uvesafb.h
61643 --- linux-2.6.32.43/include/video/uvesafb.h 2011-03-27 14:31:47.000000000 -0400
61644 +++ linux-2.6.32.43/include/video/uvesafb.h 2011-04-17 15:56:46.000000000 -0400
61645 @@ -177,6 +177,7 @@ struct uvesafb_par {
61646 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
61647 u8 pmi_setpal; /* PMI for palette changes */
61648 u16 *pmi_base; /* protected mode interface location */
61649 + u8 *pmi_code; /* protected mode code location */
61652 u8 *vbe_state_orig; /*
61653 diff -urNp linux-2.6.32.43/init/do_mounts.c linux-2.6.32.43/init/do_mounts.c
61654 --- linux-2.6.32.43/init/do_mounts.c 2011-03-27 14:31:47.000000000 -0400
61655 +++ linux-2.6.32.43/init/do_mounts.c 2011-04-17 15:56:46.000000000 -0400
61656 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
61658 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
61660 - int err = sys_mount(name, "/root", fs, flags, data);
61661 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
61665 - sys_chdir("/root");
61666 + sys_chdir((__force const char __user *)"/root");
61667 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
61668 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
61669 current->fs->pwd.mnt->mnt_sb->s_type->name,
61670 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
61671 va_start(args, fmt);
61672 vsprintf(buf, fmt, args);
61674 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
61675 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
61677 sys_ioctl(fd, FDEJECT, 0);
61680 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
61681 - fd = sys_open("/dev/console", O_RDWR, 0);
61682 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
61684 sys_ioctl(fd, TCGETS, (long)&termios);
61685 termios.c_lflag &= ~ICANON;
61686 sys_ioctl(fd, TCSETSF, (long)&termios);
61687 - sys_read(fd, &c, 1);
61688 + sys_read(fd, (char __user *)&c, 1);
61689 termios.c_lflag |= ICANON;
61690 sys_ioctl(fd, TCSETSF, (long)&termios);
61692 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
61695 devtmpfs_mount("dev");
61696 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61698 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
61699 + sys_chroot((__force char __user *)".");
61701 diff -urNp linux-2.6.32.43/init/do_mounts.h linux-2.6.32.43/init/do_mounts.h
61702 --- linux-2.6.32.43/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400
61703 +++ linux-2.6.32.43/init/do_mounts.h 2011-04-17 15:56:46.000000000 -0400
61704 @@ -15,15 +15,15 @@ extern int root_mountflags;
61706 static inline int create_dev(char *name, dev_t dev)
61708 - sys_unlink(name);
61709 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
61710 + sys_unlink((__force char __user *)name);
61711 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
61714 #if BITS_PER_LONG == 32
61715 static inline u32 bstat(char *name)
61717 struct stat64 stat;
61718 - if (sys_stat64(name, &stat) != 0)
61719 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
61721 if (!S_ISBLK(stat.st_mode))
61723 diff -urNp linux-2.6.32.43/init/do_mounts_initrd.c linux-2.6.32.43/init/do_mounts_initrd.c
61724 --- linux-2.6.32.43/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400
61725 +++ linux-2.6.32.43/init/do_mounts_initrd.c 2011-04-17 15:56:46.000000000 -0400
61726 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
61727 sys_close(old_fd);sys_close(root_fd);
61728 sys_close(0);sys_close(1);sys_close(2);
61730 - (void) sys_open("/dev/console",O_RDWR,0);
61731 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
61734 return kernel_execve(shell, argv, envp_init);
61735 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
61736 create_dev("/dev/root.old", Root_RAM0);
61737 /* mount initrd on rootfs' /root */
61738 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
61739 - sys_mkdir("/old", 0700);
61740 - root_fd = sys_open("/", 0, 0);
61741 - old_fd = sys_open("/old", 0, 0);
61742 + sys_mkdir((__force const char __user *)"/old", 0700);
61743 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
61744 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
61745 /* move initrd over / and chdir/chroot in initrd root */
61746 - sys_chdir("/root");
61747 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
61749 + sys_chdir((__force const char __user *)"/root");
61750 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
61751 + sys_chroot((__force const char __user *)".");
61754 * In case that a resume from disk is carried out by linuxrc or one of
61755 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
61757 /* move initrd to rootfs' /old */
61758 sys_fchdir(old_fd);
61759 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
61760 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
61761 /* switch root and cwd back to / of rootfs */
61762 sys_fchdir(root_fd);
61764 + sys_chroot((__force const char __user *)".");
61766 sys_close(root_fd);
61768 if (new_decode_dev(real_root_dev) == Root_RAM0) {
61769 - sys_chdir("/old");
61770 + sys_chdir((__force const char __user *)"/old");
61774 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
61777 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
61778 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
61779 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
61783 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
61784 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
61785 if (error == -ENOENT)
61786 printk("/initrd does not exist. Ignored.\n");
61788 printk("failed\n");
61789 printk(KERN_NOTICE "Unmounting old root\n");
61790 - sys_umount("/old", MNT_DETACH);
61791 + sys_umount((__force char __user *)"/old", MNT_DETACH);
61792 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
61795 @@ -119,11 +119,11 @@ int __init initrd_load(void)
61796 * mounted in the normal path.
61798 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
61799 - sys_unlink("/initrd.image");
61800 + sys_unlink((__force const char __user *)"/initrd.image");
61805 - sys_unlink("/initrd.image");
61806 + sys_unlink((__force const char __user *)"/initrd.image");
61809 diff -urNp linux-2.6.32.43/init/do_mounts_md.c linux-2.6.32.43/init/do_mounts_md.c
61810 --- linux-2.6.32.43/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400
61811 +++ linux-2.6.32.43/init/do_mounts_md.c 2011-04-17 15:56:46.000000000 -0400
61812 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
61813 partitioned ? "_d" : "", minor,
61814 md_setup_args[ent].device_names);
61816 - fd = sys_open(name, 0, 0);
61817 + fd = sys_open((__force char __user *)name, 0, 0);
61819 printk(KERN_ERR "md: open failed - cannot start "
61820 "array %s\n", name);
61821 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
61825 - fd = sys_open(name, 0, 0);
61826 + fd = sys_open((__force char __user *)name, 0, 0);
61827 sys_ioctl(fd, BLKRRPART, 0);
61830 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
61832 wait_for_device_probe();
61834 - fd = sys_open("/dev/md0", 0, 0);
61835 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
61837 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
61839 diff -urNp linux-2.6.32.43/init/initramfs.c linux-2.6.32.43/init/initramfs.c
61840 --- linux-2.6.32.43/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400
61841 +++ linux-2.6.32.43/init/initramfs.c 2011-04-17 15:56:46.000000000 -0400
61842 @@ -74,7 +74,7 @@ static void __init free_hash(void)
61846 -static long __init do_utime(char __user *filename, time_t mtime)
61847 +static long __init do_utime(__force char __user *filename, time_t mtime)
61849 struct timespec t[2];
61851 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
61852 struct dir_entry *de, *tmp;
61853 list_for_each_entry_safe(de, tmp, &dir_list, list) {
61854 list_del(&de->list);
61855 - do_utime(de->name, de->mtime);
61856 + do_utime((__force char __user *)de->name, de->mtime);
61860 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
61862 char *old = find_link(major, minor, ino, mode, collected);
61864 - return (sys_link(old, collected) < 0) ? -1 : 1;
61865 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
61869 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
61873 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
61874 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
61875 if (S_ISDIR(st.st_mode))
61877 + sys_rmdir((__force char __user *)path);
61879 - sys_unlink(path);
61880 + sys_unlink((__force char __user *)path);
61884 @@ -305,7 +305,7 @@ static int __init do_name(void)
61885 int openflags = O_WRONLY|O_CREAT;
61887 openflags |= O_TRUNC;
61888 - wfd = sys_open(collected, openflags, mode);
61889 + wfd = sys_open((__force char __user *)collected, openflags, mode);
61892 sys_fchown(wfd, uid, gid);
61893 @@ -317,17 +317,17 @@ static int __init do_name(void)
61896 } else if (S_ISDIR(mode)) {
61897 - sys_mkdir(collected, mode);
61898 - sys_chown(collected, uid, gid);
61899 - sys_chmod(collected, mode);
61900 + sys_mkdir((__force char __user *)collected, mode);
61901 + sys_chown((__force char __user *)collected, uid, gid);
61902 + sys_chmod((__force char __user *)collected, mode);
61903 dir_add(collected, mtime);
61904 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
61905 S_ISFIFO(mode) || S_ISSOCK(mode)) {
61906 if (maybe_link() == 0) {
61907 - sys_mknod(collected, mode, rdev);
61908 - sys_chown(collected, uid, gid);
61909 - sys_chmod(collected, mode);
61910 - do_utime(collected, mtime);
61911 + sys_mknod((__force char __user *)collected, mode, rdev);
61912 + sys_chown((__force char __user *)collected, uid, gid);
61913 + sys_chmod((__force char __user *)collected, mode);
61914 + do_utime((__force char __user *)collected, mtime);
61918 @@ -336,15 +336,15 @@ static int __init do_name(void)
61919 static int __init do_copy(void)
61921 if (count >= body_len) {
61922 - sys_write(wfd, victim, body_len);
61923 + sys_write(wfd, (__force char __user *)victim, body_len);
61925 - do_utime(vcollected, mtime);
61926 + do_utime((__force char __user *)vcollected, mtime);
61932 - sys_write(wfd, victim, count);
61933 + sys_write(wfd, (__force char __user *)victim, count);
61937 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
61939 collected[N_ALIGN(name_len) + body_len] = '\0';
61940 clean_path(collected, 0);
61941 - sys_symlink(collected + N_ALIGN(name_len), collected);
61942 - sys_lchown(collected, uid, gid);
61943 - do_utime(collected, mtime);
61944 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
61945 + sys_lchown((__force char __user *)collected, uid, gid);
61946 + do_utime((__force char __user *)collected, mtime);
61948 next_state = Reset;
61950 diff -urNp linux-2.6.32.43/init/Kconfig linux-2.6.32.43/init/Kconfig
61951 --- linux-2.6.32.43/init/Kconfig 2011-05-10 22:12:01.000000000 -0400
61952 +++ linux-2.6.32.43/init/Kconfig 2011-05-10 22:12:34.000000000 -0400
61953 @@ -1004,7 +1004,7 @@ config SLUB_DEBUG
61956 bool "Disable heap randomization"
61960 Randomizing heap placement makes heap exploits harder, but it
61961 also breaks ancient binaries (including anything libc5 based).
61962 diff -urNp linux-2.6.32.43/init/main.c linux-2.6.32.43/init/main.c
61963 --- linux-2.6.32.43/init/main.c 2011-05-10 22:12:01.000000000 -0400
61964 +++ linux-2.6.32.43/init/main.c 2011-08-05 20:33:55.000000000 -0400
61965 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
61967 extern void tc_init(void);
61969 +extern void grsecurity_init(void);
61971 enum system_states system_state __read_mostly;
61972 EXPORT_SYMBOL(system_state);
61973 @@ -183,6 +184,49 @@ static int __init set_reset_devices(char
61975 __setup("reset_devices", set_reset_devices);
61977 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
61978 +extern char pax_enter_kernel_user[];
61979 +extern char pax_exit_kernel_user[];
61980 +extern pgdval_t clone_pgd_mask;
61983 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
61984 +static int __init setup_pax_nouderef(char *str)
61986 +#ifdef CONFIG_X86_32
61987 + unsigned int cpu;
61988 + struct desc_struct *gdt;
61990 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
61991 + gdt = get_cpu_gdt_table(cpu);
61992 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
61993 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
61994 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
61995 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
61997 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
61999 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
62000 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
62001 + clone_pgd_mask = ~(pgdval_t)0UL;
62006 +early_param("pax_nouderef", setup_pax_nouderef);
62009 +#ifdef CONFIG_PAX_SOFTMODE
62012 +static int __init setup_pax_softmode(char *str)
62014 + get_option(&str, &pax_softmode);
62017 +__setup("pax_softmode=", setup_pax_softmode);
62020 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
62021 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
62022 static const char *panic_later, *panic_param;
62023 @@ -705,52 +749,53 @@ int initcall_debug;
62024 core_param(initcall_debug, initcall_debug, bool, 0644);
62026 static char msgbuf[64];
62027 -static struct boot_trace_call call;
62028 -static struct boot_trace_ret ret;
62029 +static struct boot_trace_call trace_call;
62030 +static struct boot_trace_ret trace_ret;
62032 int do_one_initcall(initcall_t fn)
62034 int count = preempt_count();
62035 ktime_t calltime, delta, rettime;
62036 + const char *msg1 = "", *msg2 = "";
62038 if (initcall_debug) {
62039 - call.caller = task_pid_nr(current);
62040 - printk("calling %pF @ %i\n", fn, call.caller);
62041 + trace_call.caller = task_pid_nr(current);
62042 + printk("calling %pF @ %i\n", fn, trace_call.caller);
62043 calltime = ktime_get();
62044 - trace_boot_call(&call, fn);
62045 + trace_boot_call(&trace_call, fn);
62046 enable_boot_trace();
62049 - ret.result = fn();
62050 + trace_ret.result = fn();
62052 if (initcall_debug) {
62053 disable_boot_trace();
62054 rettime = ktime_get();
62055 delta = ktime_sub(rettime, calltime);
62056 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
62057 - trace_boot_ret(&ret, fn);
62058 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
62059 + trace_boot_ret(&trace_ret, fn);
62060 printk("initcall %pF returned %d after %Ld usecs\n", fn,
62061 - ret.result, ret.duration);
62062 + trace_ret.result, trace_ret.duration);
62067 - if (ret.result && ret.result != -ENODEV && initcall_debug)
62068 - sprintf(msgbuf, "error code %d ", ret.result);
62069 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
62070 + sprintf(msgbuf, "error code %d ", trace_ret.result);
62072 if (preempt_count() != count) {
62073 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
62074 + msg1 = " preemption imbalance";
62075 preempt_count() = count;
62077 if (irqs_disabled()) {
62078 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
62079 + msg2 = " disabled interrupts";
62080 local_irq_enable();
62083 - printk("initcall %pF returned with %s\n", fn, msgbuf);
62084 + if (msgbuf[0] || *msg1 || *msg2) {
62085 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
62088 - return ret.result;
62089 + return trace_ret.result;
62093 @@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
62094 if (!ramdisk_execute_command)
62095 ramdisk_execute_command = "/init";
62097 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
62098 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
62099 ramdisk_execute_command = NULL;
62100 prepare_namespace();
62103 + grsecurity_init();
62106 * Ok, we have completed the initial bootup, and
62107 * we're essentially up and running. Get rid of the
62108 diff -urNp linux-2.6.32.43/init/noinitramfs.c linux-2.6.32.43/init/noinitramfs.c
62109 --- linux-2.6.32.43/init/noinitramfs.c 2011-03-27 14:31:47.000000000 -0400
62110 +++ linux-2.6.32.43/init/noinitramfs.c 2011-04-17 15:56:46.000000000 -0400
62111 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
62115 - err = sys_mkdir("/dev", 0755);
62116 + err = sys_mkdir((const char __user *)"/dev", 0755);
62120 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
62124 - err = sys_mkdir("/root", 0700);
62125 + err = sys_mkdir((const char __user *)"/root", 0700);
62129 diff -urNp linux-2.6.32.43/ipc/mqueue.c linux-2.6.32.43/ipc/mqueue.c
62130 --- linux-2.6.32.43/ipc/mqueue.c 2011-03-27 14:31:47.000000000 -0400
62131 +++ linux-2.6.32.43/ipc/mqueue.c 2011-04-17 15:56:46.000000000 -0400
62132 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
62133 mq_bytes = (mq_msg_tblsz +
62134 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
62136 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
62137 spin_lock(&mq_lock);
62138 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
62139 u->mq_bytes + mq_bytes >
62140 diff -urNp linux-2.6.32.43/ipc/msg.c linux-2.6.32.43/ipc/msg.c
62141 --- linux-2.6.32.43/ipc/msg.c 2011-03-27 14:31:47.000000000 -0400
62142 +++ linux-2.6.32.43/ipc/msg.c 2011-08-05 20:33:55.000000000 -0400
62143 @@ -310,18 +310,19 @@ static inline int msg_security(struct ke
62144 return security_msg_queue_associate(msq, msgflg);
62147 +static struct ipc_ops msg_ops = {
62148 + .getnew = newque,
62149 + .associate = msg_security,
62150 + .more_checks = NULL
62153 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
62155 struct ipc_namespace *ns;
62156 - struct ipc_ops msg_ops;
62157 struct ipc_params msg_params;
62159 ns = current->nsproxy->ipc_ns;
62161 - msg_ops.getnew = newque;
62162 - msg_ops.associate = msg_security;
62163 - msg_ops.more_checks = NULL;
62165 msg_params.key = key;
62166 msg_params.flg = msgflg;
62168 diff -urNp linux-2.6.32.43/ipc/sem.c linux-2.6.32.43/ipc/sem.c
62169 --- linux-2.6.32.43/ipc/sem.c 2011-03-27 14:31:47.000000000 -0400
62170 +++ linux-2.6.32.43/ipc/sem.c 2011-08-05 20:33:55.000000000 -0400
62171 @@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
62175 +static struct ipc_ops sem_ops = {
62176 + .getnew = newary,
62177 + .associate = sem_security,
62178 + .more_checks = sem_more_checks
62181 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
62183 struct ipc_namespace *ns;
62184 - struct ipc_ops sem_ops;
62185 struct ipc_params sem_params;
62187 ns = current->nsproxy->ipc_ns;
62188 @@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
62189 if (nsems < 0 || nsems > ns->sc_semmsl)
62192 - sem_ops.getnew = newary;
62193 - sem_ops.associate = sem_security;
62194 - sem_ops.more_checks = sem_more_checks;
62196 sem_params.key = key;
62197 sem_params.flg = semflg;
62198 sem_params.u.nsems = nsems;
62199 @@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
62200 ushort* sem_io = fast_sem_io;
62203 + pax_track_stack();
62205 sma = sem_lock_check(ns, semid);
62207 return PTR_ERR(sma);
62208 @@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
62209 unsigned long jiffies_left = 0;
62210 struct ipc_namespace *ns;
62212 + pax_track_stack();
62214 ns = current->nsproxy->ipc_ns;
62216 if (nsops < 1 || semid < 0)
62217 diff -urNp linux-2.6.32.43/ipc/shm.c linux-2.6.32.43/ipc/shm.c
62218 --- linux-2.6.32.43/ipc/shm.c 2011-03-27 14:31:47.000000000 -0400
62219 +++ linux-2.6.32.43/ipc/shm.c 2011-08-05 20:33:55.000000000 -0400
62220 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
62221 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
62224 +#ifdef CONFIG_GRKERNSEC
62225 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62226 + const time_t shm_createtime, const uid_t cuid,
62227 + const int shmid);
62228 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
62229 + const time_t shm_createtime);
62232 void shm_init_ns(struct ipc_namespace *ns)
62234 ns->shm_ctlmax = SHMMAX;
62235 @@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
62236 shp->shm_lprid = 0;
62237 shp->shm_atim = shp->shm_dtim = 0;
62238 shp->shm_ctim = get_seconds();
62239 +#ifdef CONFIG_GRKERNSEC
62241 + struct timespec timeval;
62242 + do_posix_clock_monotonic_gettime(&timeval);
62244 + shp->shm_createtime = timeval.tv_sec;
62247 shp->shm_segsz = size;
62248 shp->shm_nattch = 0;
62249 shp->shm_file = file;
62250 @@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
62254 +static struct ipc_ops shm_ops = {
62255 + .getnew = newseg,
62256 + .associate = shm_security,
62257 + .more_checks = shm_more_checks
62260 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
62262 struct ipc_namespace *ns;
62263 - struct ipc_ops shm_ops;
62264 struct ipc_params shm_params;
62266 ns = current->nsproxy->ipc_ns;
62268 - shm_ops.getnew = newseg;
62269 - shm_ops.associate = shm_security;
62270 - shm_ops.more_checks = shm_more_checks;
62272 shm_params.key = key;
62273 shm_params.flg = shmflg;
62274 shm_params.u.size = size;
62275 @@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
62279 +#ifdef CONFIG_GRKERNSEC
62280 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
62281 + shp->shm_perm.cuid, shmid) ||
62282 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
62288 path.dentry = dget(shp->shm_file->f_path.dentry);
62289 path.mnt = shp->shm_file->f_path.mnt;
62291 +#ifdef CONFIG_GRKERNSEC
62292 + shp->shm_lapid = current->pid;
62294 size = i_size_read(path.dentry->d_inode);
62297 diff -urNp linux-2.6.32.43/kernel/acct.c linux-2.6.32.43/kernel/acct.c
62298 --- linux-2.6.32.43/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400
62299 +++ linux-2.6.32.43/kernel/acct.c 2011-04-17 15:56:46.000000000 -0400
62300 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
62302 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
62303 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
62304 - file->f_op->write(file, (char *)&ac,
62305 + file->f_op->write(file, (__force char __user *)&ac,
62306 sizeof(acct_t), &file->f_pos);
62307 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
62309 diff -urNp linux-2.6.32.43/kernel/audit.c linux-2.6.32.43/kernel/audit.c
62310 --- linux-2.6.32.43/kernel/audit.c 2011-03-27 14:31:47.000000000 -0400
62311 +++ linux-2.6.32.43/kernel/audit.c 2011-05-04 17:56:28.000000000 -0400
62312 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
62313 3) suppressed due to audit_rate_limit
62314 4) suppressed due to audit_backlog_limit
62316 -static atomic_t audit_lost = ATOMIC_INIT(0);
62317 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
62319 /* The netlink socket. */
62320 static struct sock *audit_sock;
62321 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
62325 - atomic_inc(&audit_lost);
62326 + atomic_inc_unchecked(&audit_lost);
62328 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
62330 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
62331 printk(KERN_WARNING
62332 "audit: audit_lost=%d audit_rate_limit=%d "
62333 "audit_backlog_limit=%d\n",
62334 - atomic_read(&audit_lost),
62335 + atomic_read_unchecked(&audit_lost),
62337 audit_backlog_limit);
62338 audit_panic(message);
62339 @@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
62340 status_set.pid = audit_pid;
62341 status_set.rate_limit = audit_rate_limit;
62342 status_set.backlog_limit = audit_backlog_limit;
62343 - status_set.lost = atomic_read(&audit_lost);
62344 + status_set.lost = atomic_read_unchecked(&audit_lost);
62345 status_set.backlog = skb_queue_len(&audit_skb_queue);
62346 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
62347 &status_set, sizeof(status_set));
62348 @@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
62349 spin_unlock_irq(&tsk->sighand->siglock);
62351 read_unlock(&tasklist_lock);
62352 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
62356 + audit_send_reply(NETLINK_CB(skb).pid, seq,
62357 + AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
62360 case AUDIT_TTY_SET: {
62361 diff -urNp linux-2.6.32.43/kernel/auditsc.c linux-2.6.32.43/kernel/auditsc.c
62362 --- linux-2.6.32.43/kernel/auditsc.c 2011-03-27 14:31:47.000000000 -0400
62363 +++ linux-2.6.32.43/kernel/auditsc.c 2011-05-04 17:56:28.000000000 -0400
62364 @@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
62367 /* global counter which is incremented every time something logs in */
62368 -static atomic_t session_id = ATOMIC_INIT(0);
62369 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
62372 * audit_set_loginuid - set a task's audit_context loginuid
62373 @@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
62375 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
62377 - unsigned int sessionid = atomic_inc_return(&session_id);
62378 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
62379 struct audit_context *context = task->audit_context;
62381 if (context && context->in_syscall) {
62382 diff -urNp linux-2.6.32.43/kernel/capability.c linux-2.6.32.43/kernel/capability.c
62383 --- linux-2.6.32.43/kernel/capability.c 2011-03-27 14:31:47.000000000 -0400
62384 +++ linux-2.6.32.43/kernel/capability.c 2011-04-17 15:56:46.000000000 -0400
62385 @@ -305,10 +305,26 @@ int capable(int cap)
62389 - if (security_capable(cap) == 0) {
62390 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
62391 current->flags |= PF_SUPERPRIV;
62397 +int capable_nolog(int cap)
62399 + if (unlikely(!cap_valid(cap))) {
62400 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
62404 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
62405 + current->flags |= PF_SUPERPRIV;
62411 EXPORT_SYMBOL(capable);
62412 +EXPORT_SYMBOL(capable_nolog);
62413 diff -urNp linux-2.6.32.43/kernel/cgroup.c linux-2.6.32.43/kernel/cgroup.c
62414 --- linux-2.6.32.43/kernel/cgroup.c 2011-03-27 14:31:47.000000000 -0400
62415 +++ linux-2.6.32.43/kernel/cgroup.c 2011-05-16 21:46:57.000000000 -0400
62416 @@ -536,6 +536,8 @@ static struct css_set *find_css_set(
62417 struct hlist_head *hhead;
62418 struct cg_cgroup_link *link;
62420 + pax_track_stack();
62422 /* First see if we already have a cgroup group that matches
62423 * the desired set */
62424 read_lock(&css_set_lock);
62425 diff -urNp linux-2.6.32.43/kernel/configs.c linux-2.6.32.43/kernel/configs.c
62426 --- linux-2.6.32.43/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400
62427 +++ linux-2.6.32.43/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400
62428 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
62429 struct proc_dir_entry *entry;
62431 /* create the current config file */
62432 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
62433 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
62434 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
62435 + &ikconfig_file_ops);
62436 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62437 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
62438 + &ikconfig_file_ops);
62441 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
62442 &ikconfig_file_ops);
62448 diff -urNp linux-2.6.32.43/kernel/cpu.c linux-2.6.32.43/kernel/cpu.c
62449 --- linux-2.6.32.43/kernel/cpu.c 2011-03-27 14:31:47.000000000 -0400
62450 +++ linux-2.6.32.43/kernel/cpu.c 2011-04-17 15:56:46.000000000 -0400
62452 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
62453 static DEFINE_MUTEX(cpu_add_remove_lock);
62455 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
62456 +static RAW_NOTIFIER_HEAD(cpu_chain);
62458 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
62459 * Should always be manipulated under cpu_add_remove_lock
62460 diff -urNp linux-2.6.32.43/kernel/cred.c linux-2.6.32.43/kernel/cred.c
62461 --- linux-2.6.32.43/kernel/cred.c 2011-03-27 14:31:47.000000000 -0400
62462 +++ linux-2.6.32.43/kernel/cred.c 2011-05-17 19:26:34.000000000 -0400
62463 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
62465 void __put_cred(struct cred *cred)
62467 + pax_track_stack();
62469 kdebug("__put_cred(%p{%d,%d})", cred,
62470 atomic_read(&cred->usage),
62471 read_cred_subscribers(cred));
62472 @@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
62476 + pax_track_stack();
62478 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
62479 atomic_read(&tsk->cred->usage),
62480 read_cred_subscribers(tsk->cred));
62481 @@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
62483 const struct cred *cred;
62485 + pax_track_stack();
62490 @@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
62494 + pax_track_stack();
62496 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
62499 @@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
62500 const struct cred *old;
62503 + pax_track_stack();
62505 validate_process_creds();
62507 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62508 @@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
62509 struct thread_group_cred *tgcred = NULL;
62512 + pax_track_stack();
62515 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
62517 @@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
62521 + pax_track_stack();
62523 mutex_init(&p->cred_guard_mutex);
62526 @@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
62527 struct task_struct *task = current;
62528 const struct cred *old = task->real_cred;
62530 + pax_track_stack();
62532 kdebug("commit_creds(%p{%d,%d})", new,
62533 atomic_read(&new->usage),
62534 read_cred_subscribers(new));
62535 @@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
62537 get_cred(new); /* we will require a ref for the subj creds too */
62539 + gr_set_role_label(task, new->uid, new->gid);
62541 /* dumpability changes */
62542 if (old->euid != new->euid ||
62543 old->egid != new->egid ||
62544 @@ -606,6 +624,8 @@ EXPORT_SYMBOL(commit_creds);
62546 void abort_creds(struct cred *new)
62548 + pax_track_stack();
62550 kdebug("abort_creds(%p{%d,%d})", new,
62551 atomic_read(&new->usage),
62552 read_cred_subscribers(new));
62553 @@ -629,6 +649,8 @@ const struct cred *override_creds(const
62555 const struct cred *old = current->cred;
62557 + pax_track_stack();
62559 kdebug("override_creds(%p{%d,%d})", new,
62560 atomic_read(&new->usage),
62561 read_cred_subscribers(new));
62562 @@ -658,6 +680,8 @@ void revert_creds(const struct cred *old
62564 const struct cred *override = current->cred;
62566 + pax_track_stack();
62568 kdebug("revert_creds(%p{%d,%d})", old,
62569 atomic_read(&old->usage),
62570 read_cred_subscribers(old));
62571 @@ -704,6 +728,8 @@ struct cred *prepare_kernel_cred(struct
62572 const struct cred *old;
62575 + pax_track_stack();
62577 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
62580 @@ -758,6 +784,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
62582 int set_security_override(struct cred *new, u32 secid)
62584 + pax_track_stack();
62586 return security_kernel_act_as(new, secid);
62588 EXPORT_SYMBOL(set_security_override);
62589 @@ -777,6 +805,8 @@ int set_security_override_from_ctx(struc
62593 + pax_track_stack();
62595 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
62598 diff -urNp linux-2.6.32.43/kernel/exit.c linux-2.6.32.43/kernel/exit.c
62599 --- linux-2.6.32.43/kernel/exit.c 2011-03-27 14:31:47.000000000 -0400
62600 +++ linux-2.6.32.43/kernel/exit.c 2011-04-17 15:56:46.000000000 -0400
62602 #include <asm/pgtable.h>
62603 #include <asm/mmu_context.h>
62605 +#ifdef CONFIG_GRKERNSEC
62606 +extern rwlock_t grsec_exec_file_lock;
62609 static void exit_mm(struct task_struct * tsk);
62611 static void __unhash_process(struct task_struct *p)
62612 @@ -174,6 +178,8 @@ void release_task(struct task_struct * p
62613 struct task_struct *leader;
62616 + gr_del_task_from_ip_table(p);
62618 tracehook_prepare_release_task(p);
62619 /* don't need to get the RCU readlock here - the process is dead and
62620 * can't be modifying its own credentials */
62621 @@ -341,11 +347,22 @@ static void reparent_to_kthreadd(void)
62623 write_lock_irq(&tasklist_lock);
62625 +#ifdef CONFIG_GRKERNSEC
62626 + write_lock(&grsec_exec_file_lock);
62627 + if (current->exec_file) {
62628 + fput(current->exec_file);
62629 + current->exec_file = NULL;
62631 + write_unlock(&grsec_exec_file_lock);
62634 ptrace_unlink(current);
62635 /* Reparent to init */
62636 current->real_parent = current->parent = kthreadd_task;
62637 list_move_tail(¤t->sibling, ¤t->real_parent->children);
62639 + gr_set_kernel_label(current);
62641 /* Set the exit signal to SIGCHLD so we signal init on exit */
62642 current->exit_signal = SIGCHLD;
62644 @@ -397,7 +414,7 @@ int allow_signal(int sig)
62645 * know it'll be handled, so that they don't get converted to
62646 * SIGKILL or just silently dropped.
62648 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
62649 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
62650 recalc_sigpending();
62651 spin_unlock_irq(¤t->sighand->siglock);
62653 @@ -433,6 +450,17 @@ void daemonize(const char *name, ...)
62654 vsnprintf(current->comm, sizeof(current->comm), name, args);
62657 +#ifdef CONFIG_GRKERNSEC
62658 + write_lock(&grsec_exec_file_lock);
62659 + if (current->exec_file) {
62660 + fput(current->exec_file);
62661 + current->exec_file = NULL;
62663 + write_unlock(&grsec_exec_file_lock);
62666 + gr_set_kernel_label(current);
62669 * If we were started as result of loading a module, close all of the
62670 * user space pages. We don't need them, and if we didn't close them
62671 @@ -897,17 +925,17 @@ NORET_TYPE void do_exit(long code)
62672 struct task_struct *tsk = current;
62675 - profile_task_exit(tsk);
62677 - WARN_ON(atomic_read(&tsk->fs_excl));
62680 + * Check this first since set_fs() below depends on
62681 + * current_thread_info(), which we better not access when we're in
62682 + * interrupt context. Other than that, we want to do the set_fs()
62683 + * as early as possible.
62685 if (unlikely(in_interrupt()))
62686 panic("Aiee, killing interrupt handler!");
62687 - if (unlikely(!tsk->pid))
62688 - panic("Attempted to kill the idle task!");
62691 - * If do_exit is called because this processes oopsed, it's possible
62692 + * If do_exit is called because this processes Oops'ed, it's possible
62693 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
62694 * continuing. Amongst other possible reasons, this is to prevent
62695 * mm_release()->clear_child_tid() from writing to a user-controlled
62696 @@ -915,6 +943,13 @@ NORET_TYPE void do_exit(long code)
62700 + profile_task_exit(tsk);
62702 + WARN_ON(atomic_read(&tsk->fs_excl));
62704 + if (unlikely(!tsk->pid))
62705 + panic("Attempted to kill the idle task!");
62707 tracehook_report_exit(&code);
62709 validate_creds_for_do_exit(tsk);
62710 @@ -973,6 +1008,9 @@ NORET_TYPE void do_exit(long code)
62711 tsk->exit_code = code;
62712 taskstats_exit(tsk, group_dead);
62714 + gr_acl_handle_psacct(tsk, code);
62715 + gr_acl_handle_exit();
62720 @@ -1188,7 +1226,7 @@ static int wait_task_zombie(struct wait_
62722 if (unlikely(wo->wo_flags & WNOWAIT)) {
62723 int exit_code = p->exit_code;
62727 get_task_struct(p);
62728 read_unlock(&tasklist_lock);
62729 diff -urNp linux-2.6.32.43/kernel/fork.c linux-2.6.32.43/kernel/fork.c
62730 --- linux-2.6.32.43/kernel/fork.c 2011-03-27 14:31:47.000000000 -0400
62731 +++ linux-2.6.32.43/kernel/fork.c 2011-04-17 15:56:46.000000000 -0400
62732 @@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
62733 *stackend = STACK_END_MAGIC; /* for overflow detection */
62735 #ifdef CONFIG_CC_STACKPROTECTOR
62736 - tsk->stack_canary = get_random_int();
62737 + tsk->stack_canary = pax_get_random_long();
62740 /* One for us, one for whoever does the "release_task()" (usually parent) */
62741 @@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
62744 mm->mmap_cache = NULL;
62745 - mm->free_area_cache = oldmm->mmap_base;
62746 - mm->cached_hole_size = ~0UL;
62747 + mm->free_area_cache = oldmm->free_area_cache;
62748 + mm->cached_hole_size = oldmm->cached_hole_size;
62750 cpumask_clear(mm_cpumask(mm));
62751 mm->mm_rb = RB_ROOT;
62752 @@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
62753 tmp->vm_flags &= ~VM_LOCKED;
62755 tmp->vm_next = tmp->vm_prev = NULL;
62756 + tmp->vm_mirror = NULL;
62757 anon_vma_link(tmp);
62758 file = tmp->vm_file;
62760 @@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
62765 +#ifdef CONFIG_PAX_SEGMEXEC
62766 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
62767 + struct vm_area_struct *mpnt_m;
62769 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
62770 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
62772 + if (!mpnt->vm_mirror)
62775 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
62776 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
62777 + mpnt->vm_mirror = mpnt_m;
62779 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
62780 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
62781 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
62782 + mpnt->vm_mirror->vm_mirror = mpnt;
62789 /* a new mm has just been created */
62790 arch_dup_mmap(oldmm, mm);
62792 @@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
62793 write_unlock(&fs->lock);
62797 + atomic_inc(&fs->users);
62798 write_unlock(&fs->lock);
62801 tsk->fs = copy_fs_struct(fs);
62804 + gr_set_chroot_entries(tsk, &tsk->fs->root);
62808 @@ -1033,10 +1060,13 @@ static struct task_struct *copy_process(
62809 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
62813 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
62815 if (atomic_read(&p->real_cred->user->processes) >=
62816 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
62817 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
62818 - p->real_cred->user != INIT_USER)
62819 + if (p->real_cred->user != INIT_USER &&
62820 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
62821 goto bad_fork_free;
62824 @@ -1183,6 +1213,8 @@ static struct task_struct *copy_process(
62825 goto bad_fork_free_pid;
62828 + gr_copy_label(p);
62830 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
62832 * Clear TID on mm_release()?
62833 @@ -1333,6 +1365,8 @@ bad_fork_cleanup_count:
62837 + gr_log_forkfail(retval);
62839 return ERR_PTR(retval);
62842 @@ -1426,6 +1460,8 @@ long do_fork(unsigned long clone_flags,
62843 if (clone_flags & CLONE_PARENT_SETTID)
62844 put_user(nr, parent_tidptr);
62846 + gr_handle_brute_check();
62848 if (clone_flags & CLONE_VFORK) {
62849 p->vfork_done = &vfork;
62850 init_completion(&vfork);
62851 @@ -1558,7 +1594,7 @@ static int unshare_fs(unsigned long unsh
62854 /* don't need lock here; in the worst case we'll do useless copy */
62855 - if (fs->users == 1)
62856 + if (atomic_read(&fs->users) == 1)
62859 *new_fsp = copy_fs_struct(fs);
62860 @@ -1681,7 +1717,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
62862 write_lock(&fs->lock);
62863 current->fs = new_fs;
62865 + gr_set_chroot_entries(current, ¤t->fs->root);
62866 + if (atomic_dec_return(&fs->users))
62870 diff -urNp linux-2.6.32.43/kernel/futex.c linux-2.6.32.43/kernel/futex.c
62871 --- linux-2.6.32.43/kernel/futex.c 2011-03-27 14:31:47.000000000 -0400
62872 +++ linux-2.6.32.43/kernel/futex.c 2011-05-16 21:46:57.000000000 -0400
62874 #include <linux/mount.h>
62875 #include <linux/pagemap.h>
62876 #include <linux/syscalls.h>
62877 +#include <linux/ptrace.h>
62878 #include <linux/signal.h>
62879 #include <linux/module.h>
62880 #include <linux/magic.h>
62881 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
62885 +#ifdef CONFIG_PAX_SEGMEXEC
62886 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
62891 * The futex address must be "naturally" aligned.
62893 @@ -1789,6 +1795,8 @@ static int futex_wait(u32 __user *uaddr,
62897 + pax_track_stack();
62902 @@ -1841,7 +1849,7 @@ retry:
62904 restart = ¤t_thread_info()->restart_block;
62905 restart->fn = futex_wait_restart;
62906 - restart->futex.uaddr = (u32 *)uaddr;
62907 + restart->futex.uaddr = uaddr;
62908 restart->futex.val = val;
62909 restart->futex.time = abs_time->tv64;
62910 restart->futex.bitset = bitset;
62911 @@ -2203,6 +2211,8 @@ static int futex_wait_requeue_pi(u32 __u
62915 + pax_track_stack();
62920 @@ -2377,7 +2387,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
62922 struct robust_list_head __user *head;
62924 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
62925 const struct cred *cred = current_cred(), *pcred;
62928 if (!futex_cmpxchg_enabled)
62930 @@ -2393,11 +2405,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
62934 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
62935 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
62938 pcred = __task_cred(p);
62939 if (cred->euid != pcred->euid &&
62940 cred->euid != pcred->uid &&
62941 !capable(CAP_SYS_PTRACE))
62944 head = p->robust_list;
62947 @@ -2459,7 +2476,7 @@ retry:
62949 static inline int fetch_robust_entry(struct robust_list __user **entry,
62950 struct robust_list __user * __user *head,
62952 + unsigned int *pi)
62954 unsigned long uentry;
62956 @@ -2640,6 +2657,7 @@ static int __init futex_init(void)
62960 + mm_segment_t oldfs;
62963 * This will fail and we want it. Some arch implementations do
62964 @@ -2651,7 +2669,10 @@ static int __init futex_init(void)
62965 * implementation, the non functional ones will return
62968 + oldfs = get_fs();
62970 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
62972 if (curval == -EFAULT)
62973 futex_cmpxchg_enabled = 1;
62975 diff -urNp linux-2.6.32.43/kernel/futex_compat.c linux-2.6.32.43/kernel/futex_compat.c
62976 --- linux-2.6.32.43/kernel/futex_compat.c 2011-03-27 14:31:47.000000000 -0400
62977 +++ linux-2.6.32.43/kernel/futex_compat.c 2011-04-17 15:56:46.000000000 -0400
62979 #include <linux/compat.h>
62980 #include <linux/nsproxy.h>
62981 #include <linux/futex.h>
62982 +#include <linux/ptrace.h>
62984 #include <asm/uaccess.h>
62986 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
62988 struct compat_robust_list_head __user *head;
62990 - const struct cred *cred = current_cred(), *pcred;
62991 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
62992 + const struct cred *cred = current_cred();
62993 + const struct cred *pcred;
62996 if (!futex_cmpxchg_enabled)
62998 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
63002 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
63003 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
63006 pcred = __task_cred(p);
63007 if (cred->euid != pcred->euid &&
63008 cred->euid != pcred->uid &&
63009 !capable(CAP_SYS_PTRACE))
63012 head = p->compat_robust_list;
63013 read_unlock(&tasklist_lock);
63015 diff -urNp linux-2.6.32.43/kernel/gcov/base.c linux-2.6.32.43/kernel/gcov/base.c
63016 --- linux-2.6.32.43/kernel/gcov/base.c 2011-03-27 14:31:47.000000000 -0400
63017 +++ linux-2.6.32.43/kernel/gcov/base.c 2011-04-17 15:56:46.000000000 -0400
63018 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
63021 #ifdef CONFIG_MODULES
63022 -static inline int within(void *addr, void *start, unsigned long size)
63024 - return ((addr >= start) && (addr < start + size));
63027 /* Update list and generate events when modules are unloaded. */
63028 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
63030 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
63032 /* Remove entries located in module from linked list. */
63033 for (info = gcov_info_head; info; info = info->next) {
63034 - if (within(info, mod->module_core, mod->core_size)) {
63035 + if (within_module_core_rw((unsigned long)info, mod)) {
63037 prev->next = info->next;
63039 diff -urNp linux-2.6.32.43/kernel/hrtimer.c linux-2.6.32.43/kernel/hrtimer.c
63040 --- linux-2.6.32.43/kernel/hrtimer.c 2011-03-27 14:31:47.000000000 -0400
63041 +++ linux-2.6.32.43/kernel/hrtimer.c 2011-04-17 15:56:46.000000000 -0400
63042 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
63043 local_irq_restore(flags);
63046 -static void run_hrtimer_softirq(struct softirq_action *h)
63047 +static void run_hrtimer_softirq(void)
63049 hrtimer_peek_ahead_timers();
63051 diff -urNp linux-2.6.32.43/kernel/kallsyms.c linux-2.6.32.43/kernel/kallsyms.c
63052 --- linux-2.6.32.43/kernel/kallsyms.c 2011-03-27 14:31:47.000000000 -0400
63053 +++ linux-2.6.32.43/kernel/kallsyms.c 2011-04-17 15:56:46.000000000 -0400
63055 * Changed the compression method from stem compression to "table lookup"
63056 * compression (see scripts/kallsyms.c for a more complete description)
63058 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63059 +#define __INCLUDED_BY_HIDESYM 1
63061 #include <linux/kallsyms.h>
63062 #include <linux/module.h>
63063 #include <linux/init.h>
63064 @@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
63066 static inline int is_kernel_inittext(unsigned long addr)
63068 + if (system_state != SYSTEM_BOOTING)
63071 if (addr >= (unsigned long)_sinittext
63072 && addr <= (unsigned long)_einittext)
63077 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63078 +#ifdef CONFIG_MODULES
63079 +static inline int is_module_text(unsigned long addr)
63081 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
63084 + addr = ktla_ktva(addr);
63085 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
63088 +static inline int is_module_text(unsigned long addr)
63095 static inline int is_kernel_text(unsigned long addr)
63097 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
63098 @@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
63100 static inline int is_kernel(unsigned long addr)
63103 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63104 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
63107 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
63109 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
63113 return in_gate_area_no_task(addr);
63116 static int is_ksym_addr(unsigned long addr)
63119 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
63120 + if (is_module_text(addr))
63125 return is_kernel(addr);
63127 @@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
63129 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
63131 - iter->name[0] = '\0';
63132 iter->nameoff = get_symbol_offset(new_pos);
63133 iter->pos = new_pos;
63135 @@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
63137 struct kallsym_iter *iter = m->private;
63139 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63140 + if (current_uid())
63144 /* Some debugging symbols have no name. Ignore them. */
63145 if (!iter->name[0])
63147 @@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
63148 struct kallsym_iter *iter;
63151 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
63152 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
63155 reset_iter(iter, 0);
63156 diff -urNp linux-2.6.32.43/kernel/kgdb.c linux-2.6.32.43/kernel/kgdb.c
63157 --- linux-2.6.32.43/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400
63158 +++ linux-2.6.32.43/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
63159 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
63160 /* Guard for recursive entry */
63161 static int exception_level;
63163 -static struct kgdb_io *kgdb_io_ops;
63164 +static const struct kgdb_io *kgdb_io_ops;
63165 static DEFINE_SPINLOCK(kgdb_registration_lock);
63167 /* kgdb console driver is loaded */
63168 @@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
63170 static atomic_t passive_cpu_wait[NR_CPUS];
63171 static atomic_t cpu_in_kgdb[NR_CPUS];
63172 -atomic_t kgdb_setting_breakpoint;
63173 +atomic_unchecked_t kgdb_setting_breakpoint;
63175 struct task_struct *kgdb_usethread;
63176 struct task_struct *kgdb_contthread;
63177 @@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
63178 sizeof(unsigned long)];
63180 /* to keep track of the CPU which is doing the single stepping*/
63181 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
63182 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
63185 * If you are debugging a problem where roundup (the collection of
63186 @@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
63188 if (kgdb_connected)
63190 - if (atomic_read(&kgdb_setting_breakpoint))
63191 + if (atomic_read_unchecked(&kgdb_setting_breakpoint))
63194 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
63195 @@ -1426,8 +1426,8 @@ acquirelock:
63196 * instance of the exception handler wanted to come into the
63197 * debugger on a different CPU via a single step
63199 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
63200 - atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
63201 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
63202 + atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
63204 atomic_set(&kgdb_active, -1);
63205 touch_softlockup_watchdog();
63206 @@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
63208 * Register it with the KGDB core.
63210 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
63211 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
63215 @@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
63217 * Unregister it with the KGDB core.
63219 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
63220 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
63222 BUG_ON(kgdb_connected);
63224 @@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
63226 void kgdb_breakpoint(void)
63228 - atomic_set(&kgdb_setting_breakpoint, 1);
63229 + atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
63230 wmb(); /* Sync point before breakpoint */
63231 arch_kgdb_breakpoint();
63232 wmb(); /* Sync point after breakpoint */
63233 - atomic_set(&kgdb_setting_breakpoint, 0);
63234 + atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
63236 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
63238 diff -urNp linux-2.6.32.43/kernel/kmod.c linux-2.6.32.43/kernel/kmod.c
63239 --- linux-2.6.32.43/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400
63240 +++ linux-2.6.32.43/kernel/kmod.c 2011-04-17 15:56:46.000000000 -0400
63241 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
63242 * If module auto-loading support is disabled then this function
63243 * becomes a no-operation.
63245 -int __request_module(bool wait, const char *fmt, ...)
63246 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
63249 char module_name[MODULE_NAME_LEN];
63250 unsigned int max_modprobes;
63252 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
63253 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
63254 static char *envp[] = { "HOME=/",
63256 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
63257 @@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
63261 - va_start(args, fmt);
63262 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
63264 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
63265 if (ret >= MODULE_NAME_LEN)
63266 return -ENAMETOOLONG;
63268 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63269 + if (!current_uid()) {
63270 + /* hack to workaround consolekit/udisks stupidity */
63271 + read_lock(&tasklist_lock);
63272 + if (!strcmp(current->comm, "mount") &&
63273 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
63274 + read_unlock(&tasklist_lock);
63275 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
63278 + read_unlock(&tasklist_lock);
63282 /* If modprobe needs a service that is in a module, we get a recursive
63283 * loop. Limit the number of running kmod threads to max_threads/2 or
63284 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
63285 @@ -121,6 +132,48 @@ int __request_module(bool wait, const ch
63286 atomic_dec(&kmod_concurrent);
63290 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
63295 + va_start(args, fmt);
63296 + ret = ____request_module(wait, module_param, fmt, args);
63302 +int __request_module(bool wait, const char *fmt, ...)
63307 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63308 + if (current_uid()) {
63309 + char module_param[MODULE_NAME_LEN];
63311 + memset(module_param, 0, sizeof(module_param));
63313 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
63315 + va_start(args, fmt);
63316 + ret = ____request_module(wait, module_param, fmt, args);
63323 + va_start(args, fmt);
63324 + ret = ____request_module(wait, NULL, fmt, args);
63331 EXPORT_SYMBOL(__request_module);
63332 #endif /* CONFIG_MODULES */
63334 diff -urNp linux-2.6.32.43/kernel/kprobes.c linux-2.6.32.43/kernel/kprobes.c
63335 --- linux-2.6.32.43/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
63336 +++ linux-2.6.32.43/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
63337 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
63338 * kernel image and loaded module images reside. This is required
63339 * so x86_64 can correctly handle the %rip-relative fixups.
63341 - kip->insns = module_alloc(PAGE_SIZE);
63342 + kip->insns = module_alloc_exec(PAGE_SIZE);
63346 @@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
63348 if (!list_is_singular(&kprobe_insn_pages)) {
63349 list_del(&kip->list);
63350 - module_free(NULL, kip->insns);
63351 + module_free_exec(NULL, kip->insns);
63355 @@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
63358 unsigned long offset = 0, size = 0;
63359 - char *modname, namebuf[128];
63360 + char *modname, namebuf[KSYM_NAME_LEN];
63361 const char *symbol_name;
63363 struct kprobe_blackpoint *kb;
63364 @@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
63365 const char *sym = NULL;
63366 unsigned int i = *(loff_t *) v;
63367 unsigned long offset = 0;
63368 - char *modname, namebuf[128];
63369 + char *modname, namebuf[KSYM_NAME_LEN];
63371 head = &kprobe_table[i];
63373 diff -urNp linux-2.6.32.43/kernel/lockdep.c linux-2.6.32.43/kernel/lockdep.c
63374 --- linux-2.6.32.43/kernel/lockdep.c 2011-06-25 12:55:35.000000000 -0400
63375 +++ linux-2.6.32.43/kernel/lockdep.c 2011-06-25 12:56:37.000000000 -0400
63376 @@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
63378 * Various lockdep statistics:
63380 -atomic_t chain_lookup_hits;
63381 -atomic_t chain_lookup_misses;
63382 -atomic_t hardirqs_on_events;
63383 -atomic_t hardirqs_off_events;
63384 -atomic_t redundant_hardirqs_on;
63385 -atomic_t redundant_hardirqs_off;
63386 -atomic_t softirqs_on_events;
63387 -atomic_t softirqs_off_events;
63388 -atomic_t redundant_softirqs_on;
63389 -atomic_t redundant_softirqs_off;
63390 -atomic_t nr_unused_locks;
63391 -atomic_t nr_cyclic_checks;
63392 -atomic_t nr_find_usage_forwards_checks;
63393 -atomic_t nr_find_usage_backwards_checks;
63394 +atomic_unchecked_t chain_lookup_hits;
63395 +atomic_unchecked_t chain_lookup_misses;
63396 +atomic_unchecked_t hardirqs_on_events;
63397 +atomic_unchecked_t hardirqs_off_events;
63398 +atomic_unchecked_t redundant_hardirqs_on;
63399 +atomic_unchecked_t redundant_hardirqs_off;
63400 +atomic_unchecked_t softirqs_on_events;
63401 +atomic_unchecked_t softirqs_off_events;
63402 +atomic_unchecked_t redundant_softirqs_on;
63403 +atomic_unchecked_t redundant_softirqs_off;
63404 +atomic_unchecked_t nr_unused_locks;
63405 +atomic_unchecked_t nr_cyclic_checks;
63406 +atomic_unchecked_t nr_find_usage_forwards_checks;
63407 +atomic_unchecked_t nr_find_usage_backwards_checks;
63411 @@ -577,6 +577,10 @@ static int static_obj(void *obj)
63415 +#ifdef CONFIG_PAX_KERNEXEC
63416 + start = ktla_ktva(start);
63422 @@ -592,8 +596,7 @@ static int static_obj(void *obj)
63424 for_each_possible_cpu(i) {
63425 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
63426 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
63427 - + per_cpu_offset(i);
63428 + end = start + PERCPU_ENOUGH_ROOM;
63430 if ((addr >= start) && (addr < end))
63432 @@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
63433 if (!static_obj(lock->key)) {
63435 printk("INFO: trying to register non-static key.\n");
63436 + printk("lock:%pS key:%pS.\n", lock, lock->key);
63437 printk("the code is fine but needs lockdep annotation.\n");
63438 printk("turning off the locking correctness validator.\n");
63440 @@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
63444 - debug_atomic_inc((atomic_t *)&class->ops);
63445 + debug_atomic_inc((atomic_unchecked_t *)&class->ops);
63446 if (very_verbose(class)) {
63447 printk("\nacquire class [%p] %s", class->key, class->name);
63448 if (class->name_version > 1)
63449 diff -urNp linux-2.6.32.43/kernel/lockdep_internals.h linux-2.6.32.43/kernel/lockdep_internals.h
63450 --- linux-2.6.32.43/kernel/lockdep_internals.h 2011-03-27 14:31:47.000000000 -0400
63451 +++ linux-2.6.32.43/kernel/lockdep_internals.h 2011-04-17 15:56:46.000000000 -0400
63452 @@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
63454 * Various lockdep statistics:
63456 -extern atomic_t chain_lookup_hits;
63457 -extern atomic_t chain_lookup_misses;
63458 -extern atomic_t hardirqs_on_events;
63459 -extern atomic_t hardirqs_off_events;
63460 -extern atomic_t redundant_hardirqs_on;
63461 -extern atomic_t redundant_hardirqs_off;
63462 -extern atomic_t softirqs_on_events;
63463 -extern atomic_t softirqs_off_events;
63464 -extern atomic_t redundant_softirqs_on;
63465 -extern atomic_t redundant_softirqs_off;
63466 -extern atomic_t nr_unused_locks;
63467 -extern atomic_t nr_cyclic_checks;
63468 -extern atomic_t nr_cyclic_check_recursions;
63469 -extern atomic_t nr_find_usage_forwards_checks;
63470 -extern atomic_t nr_find_usage_forwards_recursions;
63471 -extern atomic_t nr_find_usage_backwards_checks;
63472 -extern atomic_t nr_find_usage_backwards_recursions;
63473 -# define debug_atomic_inc(ptr) atomic_inc(ptr)
63474 -# define debug_atomic_dec(ptr) atomic_dec(ptr)
63475 -# define debug_atomic_read(ptr) atomic_read(ptr)
63476 +extern atomic_unchecked_t chain_lookup_hits;
63477 +extern atomic_unchecked_t chain_lookup_misses;
63478 +extern atomic_unchecked_t hardirqs_on_events;
63479 +extern atomic_unchecked_t hardirqs_off_events;
63480 +extern atomic_unchecked_t redundant_hardirqs_on;
63481 +extern atomic_unchecked_t redundant_hardirqs_off;
63482 +extern atomic_unchecked_t softirqs_on_events;
63483 +extern atomic_unchecked_t softirqs_off_events;
63484 +extern atomic_unchecked_t redundant_softirqs_on;
63485 +extern atomic_unchecked_t redundant_softirqs_off;
63486 +extern atomic_unchecked_t nr_unused_locks;
63487 +extern atomic_unchecked_t nr_cyclic_checks;
63488 +extern atomic_unchecked_t nr_cyclic_check_recursions;
63489 +extern atomic_unchecked_t nr_find_usage_forwards_checks;
63490 +extern atomic_unchecked_t nr_find_usage_forwards_recursions;
63491 +extern atomic_unchecked_t nr_find_usage_backwards_checks;
63492 +extern atomic_unchecked_t nr_find_usage_backwards_recursions;
63493 +# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
63494 +# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
63495 +# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
63497 # define debug_atomic_inc(ptr) do { } while (0)
63498 # define debug_atomic_dec(ptr) do { } while (0)
63499 diff -urNp linux-2.6.32.43/kernel/lockdep_proc.c linux-2.6.32.43/kernel/lockdep_proc.c
63500 --- linux-2.6.32.43/kernel/lockdep_proc.c 2011-03-27 14:31:47.000000000 -0400
63501 +++ linux-2.6.32.43/kernel/lockdep_proc.c 2011-04-17 15:56:46.000000000 -0400
63502 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
63504 static void print_name(struct seq_file *m, struct lock_class *class)
63507 + char str[KSYM_NAME_LEN];
63508 const char *name = class->name;
63511 diff -urNp linux-2.6.32.43/kernel/module.c linux-2.6.32.43/kernel/module.c
63512 --- linux-2.6.32.43/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
63513 +++ linux-2.6.32.43/kernel/module.c 2011-04-29 18:52:40.000000000 -0400
63515 #include <linux/async.h>
63516 #include <linux/percpu.h>
63517 #include <linux/kmemleak.h>
63518 +#include <linux/grsecurity.h>
63520 #define CREATE_TRACE_POINTS
63521 #include <trace/events/module.h>
63522 @@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
63523 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
63525 /* Bounds of module allocation, for speeding __module_address */
63526 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
63527 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
63528 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
63530 int register_module_notifier(struct notifier_block * nb)
63532 @@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
63535 list_for_each_entry_rcu(mod, &modules, list) {
63536 - struct symsearch arr[] = {
63537 + struct symsearch modarr[] = {
63538 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
63539 NOT_GPL_ONLY, false },
63540 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
63541 @@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
63545 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
63546 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
63550 @@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
63554 - if (align > PAGE_SIZE) {
63555 + if (align-1 >= PAGE_SIZE) {
63556 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
63557 name, align, PAGE_SIZE);
63559 @@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
63560 * /sys/module/foo/sections stuff
63561 * J. Corbet <corbet@lwn.net>
63563 -#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
63564 +#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
63566 static inline bool sect_empty(const Elf_Shdr *sect)
63568 @@ -1545,7 +1547,8 @@ static void free_module(struct module *m
63569 destroy_params(mod->kp, mod->num_kp);
63571 /* This may be NULL, but that's OK */
63572 - module_free(mod, mod->module_init);
63573 + module_free(mod, mod->module_init_rw);
63574 + module_free_exec(mod, mod->module_init_rx);
63577 percpu_modfree(mod->percpu);
63578 @@ -1554,10 +1557,12 @@ static void free_module(struct module *m
63579 percpu_modfree(mod->refptr);
63581 /* Free lock-classes: */
63582 - lockdep_free_key_range(mod->module_core, mod->core_size);
63583 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
63584 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
63586 /* Finally, free the core (containing the module structure) */
63587 - module_free(mod, mod->module_core);
63588 + module_free_exec(mod, mod->module_core_rx);
63589 + module_free(mod, mod->module_core_rw);
63592 update_protections(current->mm);
63593 @@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
63594 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
63596 const struct kernel_symbol *ksym;
63597 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63598 + int is_fs_load = 0;
63599 + int register_filesystem_found = 0;
63602 + p = strstr(mod->args, "grsec_modharden_fs");
63605 + char *endptr = p + strlen("grsec_modharden_fs");
63606 + /* copy \0 as well */
63607 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
63613 for (i = 1; i < n; i++) {
63614 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63615 + const char *name = strtab + sym[i].st_name;
63617 + /* it's a real shame this will never get ripped and copied
63620 + if (is_fs_load && !strcmp(name, "register_filesystem"))
63621 + register_filesystem_found = 1;
63623 switch (sym[i].st_shndx) {
63625 /* We compiled with -fno-common. These are not
63626 @@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
63627 strtab + sym[i].st_name, mod);
63628 /* Ok if resolved. */
63630 + pax_open_kernel();
63631 sym[i].st_value = ksym->value;
63632 + pax_close_kernel();
63636 @@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
63637 secbase = (unsigned long)mod->percpu;
63639 secbase = sechdrs[sym[i].st_shndx].sh_addr;
63640 + pax_open_kernel();
63641 sym[i].st_value += secbase;
63642 + pax_close_kernel();
63647 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63648 + if (is_fs_load && !register_filesystem_found) {
63649 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
63657 @@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
63658 || s->sh_entsize != ~0UL
63659 || strstarts(secstrings + s->sh_name, ".init"))
63661 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
63662 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63663 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
63665 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
63666 DEBUGP("\t%s\n", secstrings + s->sh_name);
63669 - mod->core_text_size = mod->core_size;
63672 DEBUGP("Init section allocation order:\n");
63673 @@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
63674 || s->sh_entsize != ~0UL
63675 || !strstarts(secstrings + s->sh_name, ".init"))
63677 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
63678 - | INIT_OFFSET_MASK);
63679 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
63680 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
63682 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
63683 + s->sh_entsize |= INIT_OFFSET_MASK;
63684 DEBUGP("\t%s\n", secstrings + s->sh_name);
63687 - mod->init_text_size = mod->init_size;
63691 @@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
63694 static char elf_type(const Elf_Sym *sym,
63695 - Elf_Shdr *sechdrs,
63696 - const char *secstrings,
63697 - struct module *mod)
63698 + const Elf_Shdr *sechdrs,
63699 + const char *secstrings)
63701 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
63702 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
63703 @@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
63705 /* Put symbol section at end of init part of module. */
63706 symsect->sh_flags |= SHF_ALLOC;
63707 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
63708 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
63709 symindex) | INIT_OFFSET_MASK;
63710 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
63712 @@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
63715 /* Append room for core symbols at end of core part. */
63716 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
63717 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
63718 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
63719 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
63721 /* Put string table section at end of init part of module. */
63722 strsect->sh_flags |= SHF_ALLOC;
63723 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
63724 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
63725 strindex) | INIT_OFFSET_MASK;
63726 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
63728 /* Append room for core symbols' strings at end of core part. */
63729 - *pstroffs = mod->core_size;
63730 + *pstroffs = mod->core_size_rx;
63731 __set_bit(0, strmap);
63732 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
63733 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
63737 @@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
63738 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
63739 mod->strtab = (void *)sechdrs[strindex].sh_addr;
63741 + pax_open_kernel();
63743 /* Set types up while we still have access to sections. */
63744 for (i = 0; i < mod->num_symtab; i++)
63745 mod->symtab[i].st_info
63746 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
63747 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
63749 - mod->core_symtab = dst = mod->module_core + symoffs;
63750 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
63753 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
63754 @@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
63756 mod->core_num_syms = ndst;
63758 - mod->core_strtab = s = mod->module_core + stroffs;
63759 + mod->core_strtab = s = mod->module_core_rx + stroffs;
63760 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
63761 if (test_bit(i, strmap))
63762 *++s = mod->strtab[i];
63764 + pax_close_kernel();
63767 static inline unsigned long layout_symtab(struct module *mod,
63768 @@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
63772 -static void *module_alloc_update_bounds(unsigned long size)
63773 +static void *module_alloc_update_bounds_rw(unsigned long size)
63775 void *ret = module_alloc(size);
63778 /* Update module bounds. */
63779 - if ((unsigned long)ret < module_addr_min)
63780 - module_addr_min = (unsigned long)ret;
63781 - if ((unsigned long)ret + size > module_addr_max)
63782 - module_addr_max = (unsigned long)ret + size;
63783 + if ((unsigned long)ret < module_addr_min_rw)
63784 + module_addr_min_rw = (unsigned long)ret;
63785 + if ((unsigned long)ret + size > module_addr_max_rw)
63786 + module_addr_max_rw = (unsigned long)ret + size;
63791 +static void *module_alloc_update_bounds_rx(unsigned long size)
63793 + void *ret = module_alloc_exec(size);
63796 + /* Update module bounds. */
63797 + if ((unsigned long)ret < module_addr_min_rx)
63798 + module_addr_min_rx = (unsigned long)ret;
63799 + if ((unsigned long)ret + size > module_addr_max_rx)
63800 + module_addr_max_rx = (unsigned long)ret + size;
63804 @@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
63807 /* only scan the sections containing data */
63808 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
63809 - (unsigned long)mod->module_core,
63810 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
63811 + (unsigned long)mod->module_core_rw,
63812 sizeof(struct module), GFP_KERNEL);
63814 for (i = 1; i < hdr->e_shnum; i++) {
63815 @@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
63816 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
63819 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
63820 - (unsigned long)mod->module_core,
63821 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
63822 + (unsigned long)mod->module_core_rw,
63823 sechdrs[i].sh_size, GFP_KERNEL);
63826 @@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
63827 secstrings, &stroffs, strmap);
63829 /* Do the allocs. */
63830 - ptr = module_alloc_update_bounds(mod->core_size);
63831 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
63833 * The pointer to this block is stored in the module structure
63834 * which is inside the block. Just mark it as not being a
63835 @@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
63839 - memset(ptr, 0, mod->core_size);
63840 - mod->module_core = ptr;
63841 + memset(ptr, 0, mod->core_size_rw);
63842 + mod->module_core_rw = ptr;
63844 - ptr = module_alloc_update_bounds(mod->init_size);
63845 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
63847 * The pointer to this block is stored in the module structure
63848 * which is inside the block. This block doesn't need to be
63849 * scanned as it contains data and code that will be freed
63850 * after the module is initialized.
63852 - kmemleak_ignore(ptr);
63853 - if (!ptr && mod->init_size) {
63854 + kmemleak_not_leak(ptr);
63855 + if (!ptr && mod->init_size_rw) {
63857 + goto free_core_rw;
63859 + memset(ptr, 0, mod->init_size_rw);
63860 + mod->module_init_rw = ptr;
63862 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
63863 + kmemleak_not_leak(ptr);
63867 + goto free_init_rw;
63869 - memset(ptr, 0, mod->init_size);
63870 - mod->module_init = ptr;
63872 + pax_open_kernel();
63873 + memset(ptr, 0, mod->core_size_rx);
63874 + pax_close_kernel();
63875 + mod->module_core_rx = ptr;
63877 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
63878 + kmemleak_not_leak(ptr);
63879 + if (!ptr && mod->init_size_rx) {
63881 + goto free_core_rx;
63884 + pax_open_kernel();
63885 + memset(ptr, 0, mod->init_size_rx);
63886 + pax_close_kernel();
63887 + mod->module_init_rx = ptr;
63889 /* Transfer each section which specifies SHF_ALLOC */
63890 DEBUGP("final section addresses:\n");
63891 @@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
63892 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
63895 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
63896 - dest = mod->module_init
63897 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
63899 - dest = mod->module_core + sechdrs[i].sh_entsize;
63900 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
63901 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
63902 + dest = mod->module_init_rw
63903 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
63905 + dest = mod->module_init_rx
63906 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
63908 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
63909 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
63911 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
63914 + if (sechdrs[i].sh_type != SHT_NOBITS) {
63916 - if (sechdrs[i].sh_type != SHT_NOBITS)
63917 - memcpy(dest, (void *)sechdrs[i].sh_addr,
63918 - sechdrs[i].sh_size);
63919 +#ifdef CONFIG_PAX_KERNEXEC
63920 +#ifdef CONFIG_X86_64
63921 + if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
63922 + set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
63924 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
63925 + pax_open_kernel();
63926 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
63927 + pax_close_kernel();
63931 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
63933 /* Update sh_addr to point to copy in image. */
63934 - sechdrs[i].sh_addr = (unsigned long)dest;
63936 +#ifdef CONFIG_PAX_KERNEXEC
63937 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
63938 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
63942 + sechdrs[i].sh_addr = (unsigned long)dest;
63943 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
63945 /* Module has been moved. */
63946 @@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
63948 if (!mod->refptr) {
63951 + goto free_init_rx;
63954 /* Now we've moved module, initialize linked lists, etc. */
63955 @@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
63956 /* Set up MODINFO_ATTR fields */
63957 setup_modinfo(mod, sechdrs, infoindex);
63959 + mod->args = args;
63961 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
63965 + if (strstr(mod->args, "grsec_modharden_netdev")) {
63966 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
63969 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
63970 + p += strlen("grsec_modharden_normal");
63971 + p2 = strstr(p, "_");
63974 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
63984 /* Fix up syms, so that st_value is a pointer to location. */
63985 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
63987 @@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
63989 /* Now do relocations. */
63990 for (i = 1; i < hdr->e_shnum; i++) {
63991 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
63992 unsigned int info = sechdrs[i].sh_info;
63993 + strtab = (char *)sechdrs[strindex].sh_addr;
63995 /* Not a valid relocation section? */
63996 if (info >= hdr->e_shnum)
63997 @@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
63998 * Do it before processing of module parameters, so the module
63999 * can provide parameter accessor functions of its own.
64001 - if (mod->module_init)
64002 - flush_icache_range((unsigned long)mod->module_init,
64003 - (unsigned long)mod->module_init
64004 - + mod->init_size);
64005 - flush_icache_range((unsigned long)mod->module_core,
64006 - (unsigned long)mod->module_core + mod->core_size);
64007 + if (mod->module_init_rx)
64008 + flush_icache_range((unsigned long)mod->module_init_rx,
64009 + (unsigned long)mod->module_init_rx
64010 + + mod->init_size_rx);
64011 + flush_icache_range((unsigned long)mod->module_core_rx,
64012 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
64016 - mod->args = args;
64017 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
64018 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
64020 @@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
64022 module_unload_free(mod);
64023 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
64025 percpu_modfree(mod->refptr);
64028 - module_free(mod, mod->module_init);
64030 - module_free(mod, mod->module_core);
64031 + module_free_exec(mod, mod->module_init_rx);
64033 + module_free_exec(mod, mod->module_core_rx);
64035 + module_free(mod, mod->module_init_rw);
64037 + module_free(mod, mod->module_core_rw);
64038 /* mod will be freed with core. Don't access it beyond this line! */
64041 @@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
64042 mod->symtab = mod->core_symtab;
64043 mod->strtab = mod->core_strtab;
64045 - module_free(mod, mod->module_init);
64046 - mod->module_init = NULL;
64047 - mod->init_size = 0;
64048 - mod->init_text_size = 0;
64049 + module_free(mod, mod->module_init_rw);
64050 + module_free_exec(mod, mod->module_init_rx);
64051 + mod->module_init_rw = NULL;
64052 + mod->module_init_rx = NULL;
64053 + mod->init_size_rw = 0;
64054 + mod->init_size_rx = 0;
64055 mutex_unlock(&module_mutex);
64058 @@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
64059 unsigned long nextval;
64061 /* At worse, next value is at end of module */
64062 - if (within_module_init(addr, mod))
64063 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
64064 + if (within_module_init_rx(addr, mod))
64065 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
64066 + else if (within_module_init_rw(addr, mod))
64067 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
64068 + else if (within_module_core_rx(addr, mod))
64069 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
64070 + else if (within_module_core_rw(addr, mod))
64071 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
64073 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
64076 /* Scan for closest preceeding symbol, and next symbol. (ELF
64077 starts real symbols at 1). */
64078 @@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
64081 seq_printf(m, "%s %u",
64082 - mod->name, mod->init_size + mod->core_size);
64083 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
64084 print_unload_info(m, mod);
64086 /* Informative for users. */
64087 @@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
64088 mod->state == MODULE_STATE_COMING ? "Loading":
64090 /* Used by oprofile and other similar tools. */
64091 - seq_printf(m, " 0x%p", mod->module_core);
64092 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
64096 @@ -2981,7 +3128,17 @@ static const struct file_operations proc
64098 static int __init proc_modules_init(void)
64100 +#ifndef CONFIG_GRKERNSEC_HIDESYM
64101 +#ifdef CONFIG_GRKERNSEC_PROC_USER
64102 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64103 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64104 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
64106 proc_create("modules", 0, NULL, &proc_modules_operations);
64109 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
64113 module_init(proc_modules_init);
64114 @@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
64116 struct module *mod;
64118 - if (addr < module_addr_min || addr > module_addr_max)
64119 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
64120 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
64123 list_for_each_entry_rcu(mod, &modules, list)
64124 - if (within_module_core(addr, mod)
64125 - || within_module_init(addr, mod))
64126 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
64130 @@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
64132 struct module *__module_text_address(unsigned long addr)
64134 - struct module *mod = __module_address(addr);
64135 + struct module *mod;
64137 +#ifdef CONFIG_X86_32
64138 + addr = ktla_ktva(addr);
64141 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
64144 + mod = __module_address(addr);
64147 /* Make sure it's within the text section. */
64148 - if (!within(addr, mod->module_init, mod->init_text_size)
64149 - && !within(addr, mod->module_core, mod->core_text_size))
64150 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
64154 diff -urNp linux-2.6.32.43/kernel/mutex.c linux-2.6.32.43/kernel/mutex.c
64155 --- linux-2.6.32.43/kernel/mutex.c 2011-03-27 14:31:47.000000000 -0400
64156 +++ linux-2.6.32.43/kernel/mutex.c 2011-04-17 15:56:46.000000000 -0400
64157 @@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
64161 - struct thread_info *owner;
64162 + struct task_struct *owner;
64165 * If we own the BKL, then don't spin. The owner of
64166 @@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
64167 spin_lock_mutex(&lock->wait_lock, flags);
64169 debug_mutex_lock_common(lock, &waiter);
64170 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
64171 + debug_mutex_add_waiter(lock, &waiter, task);
64173 /* add waiting tasks to the end of the waitqueue (FIFO): */
64174 list_add_tail(&waiter.list, &lock->wait_list);
64175 @@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
64176 * TASK_UNINTERRUPTIBLE case.)
64178 if (unlikely(signal_pending_state(state, task))) {
64179 - mutex_remove_waiter(lock, &waiter,
64180 - task_thread_info(task));
64181 + mutex_remove_waiter(lock, &waiter, task);
64182 mutex_release(&lock->dep_map, 1, ip);
64183 spin_unlock_mutex(&lock->wait_lock, flags);
64185 @@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
64187 lock_acquired(&lock->dep_map, ip);
64188 /* got the lock - rejoice! */
64189 - mutex_remove_waiter(lock, &waiter, current_thread_info());
64190 + mutex_remove_waiter(lock, &waiter, task);
64191 mutex_set_owner(lock);
64193 /* set it to 0 if there are no waiters left: */
64194 diff -urNp linux-2.6.32.43/kernel/mutex-debug.c linux-2.6.32.43/kernel/mutex-debug.c
64195 --- linux-2.6.32.43/kernel/mutex-debug.c 2011-03-27 14:31:47.000000000 -0400
64196 +++ linux-2.6.32.43/kernel/mutex-debug.c 2011-04-17 15:56:46.000000000 -0400
64197 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
64200 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64201 - struct thread_info *ti)
64202 + struct task_struct *task)
64204 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
64206 /* Mark the current thread as blocked on the lock: */
64207 - ti->task->blocked_on = waiter;
64208 + task->blocked_on = waiter;
64211 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64212 - struct thread_info *ti)
64213 + struct task_struct *task)
64215 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
64216 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
64217 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
64218 - ti->task->blocked_on = NULL;
64219 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
64220 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
64221 + task->blocked_on = NULL;
64223 list_del_init(&waiter->list);
64224 waiter->task = NULL;
64225 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
64228 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
64229 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
64230 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
64231 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
64232 mutex_clear_owner(lock);
64234 diff -urNp linux-2.6.32.43/kernel/mutex-debug.h linux-2.6.32.43/kernel/mutex-debug.h
64235 --- linux-2.6.32.43/kernel/mutex-debug.h 2011-03-27 14:31:47.000000000 -0400
64236 +++ linux-2.6.32.43/kernel/mutex-debug.h 2011-04-17 15:56:46.000000000 -0400
64237 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
64238 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
64239 extern void debug_mutex_add_waiter(struct mutex *lock,
64240 struct mutex_waiter *waiter,
64241 - struct thread_info *ti);
64242 + struct task_struct *task);
64243 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
64244 - struct thread_info *ti);
64245 + struct task_struct *task);
64246 extern void debug_mutex_unlock(struct mutex *lock);
64247 extern void debug_mutex_init(struct mutex *lock, const char *name,
64248 struct lock_class_key *key);
64250 static inline void mutex_set_owner(struct mutex *lock)
64252 - lock->owner = current_thread_info();
64253 + lock->owner = current;
64256 static inline void mutex_clear_owner(struct mutex *lock)
64257 diff -urNp linux-2.6.32.43/kernel/mutex.h linux-2.6.32.43/kernel/mutex.h
64258 --- linux-2.6.32.43/kernel/mutex.h 2011-03-27 14:31:47.000000000 -0400
64259 +++ linux-2.6.32.43/kernel/mutex.h 2011-04-17 15:56:46.000000000 -0400
64262 static inline void mutex_set_owner(struct mutex *lock)
64264 - lock->owner = current_thread_info();
64265 + lock->owner = current;
64268 static inline void mutex_clear_owner(struct mutex *lock)
64269 diff -urNp linux-2.6.32.43/kernel/panic.c linux-2.6.32.43/kernel/panic.c
64270 --- linux-2.6.32.43/kernel/panic.c 2011-03-27 14:31:47.000000000 -0400
64271 +++ linux-2.6.32.43/kernel/panic.c 2011-04-17 15:56:46.000000000 -0400
64272 @@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
64275 printk(KERN_WARNING "------------[ cut here ]------------\n");
64276 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
64277 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
64278 board = dmi_get_system_info(DMI_PRODUCT_NAME);
64280 printk(KERN_WARNING "Hardware name: %s\n", board);
64281 @@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
64283 void __stack_chk_fail(void)
64285 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
64287 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
64288 __builtin_return_address(0));
64290 EXPORT_SYMBOL(__stack_chk_fail);
64291 diff -urNp linux-2.6.32.43/kernel/params.c linux-2.6.32.43/kernel/params.c
64292 --- linux-2.6.32.43/kernel/params.c 2011-03-27 14:31:47.000000000 -0400
64293 +++ linux-2.6.32.43/kernel/params.c 2011-04-17 15:56:46.000000000 -0400
64294 @@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
64298 -static struct sysfs_ops module_sysfs_ops = {
64299 +static const struct sysfs_ops module_sysfs_ops = {
64300 .show = module_attr_show,
64301 .store = module_attr_store,
64303 @@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
64307 -static struct kset_uevent_ops module_uevent_ops = {
64308 +static const struct kset_uevent_ops module_uevent_ops = {
64309 .filter = uevent_filter,
64312 diff -urNp linux-2.6.32.43/kernel/perf_event.c linux-2.6.32.43/kernel/perf_event.c
64313 --- linux-2.6.32.43/kernel/perf_event.c 2011-04-17 17:00:52.000000000 -0400
64314 +++ linux-2.6.32.43/kernel/perf_event.c 2011-05-04 17:56:28.000000000 -0400
64315 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
64317 int sysctl_perf_event_sample_rate __read_mostly = 100000;
64319 -static atomic64_t perf_event_id;
64320 +static atomic64_unchecked_t perf_event_id;
64323 * Lock for (sysadmin-configurable) event reservations:
64324 @@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
64325 * In order to keep per-task stats reliable we need to flip the event
64326 * values when we flip the contexts.
64328 - value = atomic64_read(&next_event->count);
64329 - value = atomic64_xchg(&event->count, value);
64330 - atomic64_set(&next_event->count, value);
64331 + value = atomic64_read_unchecked(&next_event->count);
64332 + value = atomic64_xchg_unchecked(&event->count, value);
64333 + atomic64_set_unchecked(&next_event->count, value);
64335 swap(event->total_time_enabled, next_event->total_time_enabled);
64336 swap(event->total_time_running, next_event->total_time_running);
64337 @@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
64338 update_event_times(event);
64341 - return atomic64_read(&event->count);
64342 + return atomic64_read_unchecked(&event->count);
64346 @@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
64347 values[n++] = 1 + leader->nr_siblings;
64348 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
64349 values[n++] = leader->total_time_enabled +
64350 - atomic64_read(&leader->child_total_time_enabled);
64351 + atomic64_read_unchecked(&leader->child_total_time_enabled);
64353 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
64354 values[n++] = leader->total_time_running +
64355 - atomic64_read(&leader->child_total_time_running);
64356 + atomic64_read_unchecked(&leader->child_total_time_running);
64359 size = n * sizeof(u64);
64360 @@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
64361 values[n++] = perf_event_read_value(event);
64362 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
64363 values[n++] = event->total_time_enabled +
64364 - atomic64_read(&event->child_total_time_enabled);
64365 + atomic64_read_unchecked(&event->child_total_time_enabled);
64367 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
64368 values[n++] = event->total_time_running +
64369 - atomic64_read(&event->child_total_time_running);
64370 + atomic64_read_unchecked(&event->child_total_time_running);
64372 if (read_format & PERF_FORMAT_ID)
64373 values[n++] = primary_event_id(event);
64374 @@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
64375 static void perf_event_reset(struct perf_event *event)
64377 (void)perf_event_read(event);
64378 - atomic64_set(&event->count, 0);
64379 + atomic64_set_unchecked(&event->count, 0);
64380 perf_event_update_userpage(event);
64383 @@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
64386 userpg->index = perf_event_index(event);
64387 - userpg->offset = atomic64_read(&event->count);
64388 + userpg->offset = atomic64_read_unchecked(&event->count);
64389 if (event->state == PERF_EVENT_STATE_ACTIVE)
64390 - userpg->offset -= atomic64_read(&event->hw.prev_count);
64391 + userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
64393 userpg->time_enabled = event->total_time_enabled +
64394 - atomic64_read(&event->child_total_time_enabled);
64395 + atomic64_read_unchecked(&event->child_total_time_enabled);
64397 userpg->time_running = event->total_time_running +
64398 - atomic64_read(&event->child_total_time_running);
64399 + atomic64_read_unchecked(&event->child_total_time_running);
64403 @@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
64407 - values[n++] = atomic64_read(&event->count);
64408 + values[n++] = atomic64_read_unchecked(&event->count);
64409 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
64410 values[n++] = event->total_time_enabled +
64411 - atomic64_read(&event->child_total_time_enabled);
64412 + atomic64_read_unchecked(&event->child_total_time_enabled);
64414 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
64415 values[n++] = event->total_time_running +
64416 - atomic64_read(&event->child_total_time_running);
64417 + atomic64_read_unchecked(&event->child_total_time_running);
64419 if (read_format & PERF_FORMAT_ID)
64420 values[n++] = primary_event_id(event);
64421 @@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
64422 if (leader != event)
64423 leader->pmu->read(leader);
64425 - values[n++] = atomic64_read(&leader->count);
64426 + values[n++] = atomic64_read_unchecked(&leader->count);
64427 if (read_format & PERF_FORMAT_ID)
64428 values[n++] = primary_event_id(leader);
64430 @@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
64432 sub->pmu->read(sub);
64434 - values[n++] = atomic64_read(&sub->count);
64435 + values[n++] = atomic64_read_unchecked(&sub->count);
64436 if (read_format & PERF_FORMAT_ID)
64437 values[n++] = primary_event_id(sub);
64439 @@ -3787,7 +3787,7 @@ static void perf_swevent_add(struct perf
64441 struct hw_perf_event *hwc = &event->hw;
64443 - atomic64_add(nr, &event->count);
64444 + atomic64_add_unchecked(nr, &event->count);
64446 if (!hwc->sample_period)
64448 @@ -4044,9 +4044,9 @@ static void cpu_clock_perf_event_update(
64451 now = cpu_clock(cpu);
64452 - prev = atomic64_read(&event->hw.prev_count);
64453 - atomic64_set(&event->hw.prev_count, now);
64454 - atomic64_add(now - prev, &event->count);
64455 + prev = atomic64_read_unchecked(&event->hw.prev_count);
64456 + atomic64_set_unchecked(&event->hw.prev_count, now);
64457 + atomic64_add_unchecked(now - prev, &event->count);
64460 static int cpu_clock_perf_event_enable(struct perf_event *event)
64461 @@ -4054,7 +4054,7 @@ static int cpu_clock_perf_event_enable(s
64462 struct hw_perf_event *hwc = &event->hw;
64463 int cpu = raw_smp_processor_id();
64465 - atomic64_set(&hwc->prev_count, cpu_clock(cpu));
64466 + atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
64467 perf_swevent_start_hrtimer(event);
64470 @@ -4086,9 +4086,9 @@ static void task_clock_perf_event_update
64474 - prev = atomic64_xchg(&event->hw.prev_count, now);
64475 + prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
64476 delta = now - prev;
64477 - atomic64_add(delta, &event->count);
64478 + atomic64_add_unchecked(delta, &event->count);
64481 static int task_clock_perf_event_enable(struct perf_event *event)
64482 @@ -4098,7 +4098,7 @@ static int task_clock_perf_event_enable(
64484 now = event->ctx->time;
64486 - atomic64_set(&hwc->prev_count, now);
64487 + atomic64_set_unchecked(&hwc->prev_count, now);
64489 perf_swevent_start_hrtimer(event);
64491 @@ -4293,7 +4293,7 @@ perf_event_alloc(struct perf_event_attr
64492 event->parent = parent_event;
64494 event->ns = get_pid_ns(current->nsproxy->pid_ns);
64495 - event->id = atomic64_inc_return(&perf_event_id);
64496 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
64498 event->state = PERF_EVENT_STATE_INACTIVE;
64500 @@ -4724,15 +4724,15 @@ static void sync_child_event(struct perf
64501 if (child_event->attr.inherit_stat)
64502 perf_event_read_event(child_event, child);
64504 - child_val = atomic64_read(&child_event->count);
64505 + child_val = atomic64_read_unchecked(&child_event->count);
64508 * Add back the child's count to the parent's count:
64510 - atomic64_add(child_val, &parent_event->count);
64511 - atomic64_add(child_event->total_time_enabled,
64512 + atomic64_add_unchecked(child_val, &parent_event->count);
64513 + atomic64_add_unchecked(child_event->total_time_enabled,
64514 &parent_event->child_total_time_enabled);
64515 - atomic64_add(child_event->total_time_running,
64516 + atomic64_add_unchecked(child_event->total_time_running,
64517 &parent_event->child_total_time_running);
64520 diff -urNp linux-2.6.32.43/kernel/pid.c linux-2.6.32.43/kernel/pid.c
64521 --- linux-2.6.32.43/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400
64522 +++ linux-2.6.32.43/kernel/pid.c 2011-07-14 19:15:33.000000000 -0400
64524 #include <linux/rculist.h>
64525 #include <linux/bootmem.h>
64526 #include <linux/hash.h>
64527 +#include <linux/security.h>
64528 #include <linux/pid_namespace.h>
64529 #include <linux/init_task.h>
64530 #include <linux/syscalls.h>
64531 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
64533 int pid_max = PID_MAX_DEFAULT;
64535 -#define RESERVED_PIDS 300
64536 +#define RESERVED_PIDS 500
64538 int pid_max_min = RESERVED_PIDS + 1;
64539 int pid_max_max = PID_MAX_LIMIT;
64540 @@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
64542 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
64544 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64545 + struct task_struct *task;
64547 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
64549 + if (gr_pid_is_chrooted(task))
64555 struct task_struct *find_task_by_vpid(pid_t vnr)
64556 @@ -391,6 +399,13 @@ struct task_struct *find_task_by_vpid(pi
64557 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
64560 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
64562 + struct task_struct *task;
64564 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
64567 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
64570 diff -urNp linux-2.6.32.43/kernel/posix-cpu-timers.c linux-2.6.32.43/kernel/posix-cpu-timers.c
64571 --- linux-2.6.32.43/kernel/posix-cpu-timers.c 2011-03-27 14:31:47.000000000 -0400
64572 +++ linux-2.6.32.43/kernel/posix-cpu-timers.c 2011-04-17 15:56:46.000000000 -0400
64574 #include <linux/posix-timers.h>
64575 #include <linux/errno.h>
64576 #include <linux/math64.h>
64577 +#include <linux/security.h>
64578 #include <asm/uaccess.h>
64579 #include <linux/kernel_stat.h>
64580 #include <trace/events/timer.h>
64581 diff -urNp linux-2.6.32.43/kernel/posix-timers.c linux-2.6.32.43/kernel/posix-timers.c
64582 --- linux-2.6.32.43/kernel/posix-timers.c 2011-03-27 14:31:47.000000000 -0400
64583 +++ linux-2.6.32.43/kernel/posix-timers.c 2011-08-05 20:33:55.000000000 -0400
64585 #include <linux/compiler.h>
64586 #include <linux/idr.h>
64587 #include <linux/posix-timers.h>
64588 +#include <linux/grsecurity.h>
64589 #include <linux/syscalls.h>
64590 #include <linux/wait.h>
64591 #include <linux/workqueue.h>
64592 @@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
64593 * which we beg off on and pass to do_sys_settimeofday().
64596 -static struct k_clock posix_clocks[MAX_CLOCKS];
64597 +static struct k_clock *posix_clocks[MAX_CLOCKS];
64600 * These ones are defined below.
64601 @@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
64603 #define CLOCK_DISPATCH(clock, call, arglist) \
64604 ((clock) < 0 ? posix_cpu_##call arglist : \
64605 - (posix_clocks[clock].call != NULL \
64606 - ? (*posix_clocks[clock].call) arglist : common_##call arglist))
64607 + (posix_clocks[clock]->call != NULL \
64608 + ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
64611 * Default clock hook functions when the struct k_clock passed
64612 @@ -172,7 +173,7 @@ static inline int common_clock_getres(co
64613 struct timespec *tp)
64616 - tp->tv_nsec = posix_clocks[which_clock].res;
64617 + tp->tv_nsec = posix_clocks[which_clock]->res;
64621 @@ -217,9 +218,9 @@ static inline int invalid_clockid(const
64623 if ((unsigned) which_clock >= MAX_CLOCKS)
64625 - if (posix_clocks[which_clock].clock_getres != NULL)
64626 + if (posix_clocks[which_clock]->clock_getres != NULL)
64628 - if (posix_clocks[which_clock].res != 0)
64629 + if (posix_clocks[which_clock]->res != 0)
64633 @@ -296,6 +297,8 @@ static __init int init_posix_timers(void
64634 .nsleep = no_nsleep,
64637 + pax_track_stack();
64639 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
64640 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
64641 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
64642 @@ -484,7 +487,7 @@ void register_posix_clock(const clockid_
64646 - posix_clocks[clock_id] = *new_clock;
64647 + posix_clocks[clock_id] = new_clock;
64649 EXPORT_SYMBOL_GPL(register_posix_clock);
64651 @@ -948,6 +951,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
64652 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
64655 + /* only the CLOCK_REALTIME clock can be set, all other clocks
64656 + have their clock_set fptr set to a nosettime dummy function
64657 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
64658 + call common_clock_set, which calls do_sys_settimeofday, which
64662 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
64665 diff -urNp linux-2.6.32.43/kernel/power/hibernate.c linux-2.6.32.43/kernel/power/hibernate.c
64666 --- linux-2.6.32.43/kernel/power/hibernate.c 2011-03-27 14:31:47.000000000 -0400
64667 +++ linux-2.6.32.43/kernel/power/hibernate.c 2011-04-17 15:56:46.000000000 -0400
64668 @@ -48,14 +48,14 @@ enum {
64670 static int hibernation_mode = HIBERNATION_SHUTDOWN;
64672 -static struct platform_hibernation_ops *hibernation_ops;
64673 +static const struct platform_hibernation_ops *hibernation_ops;
64676 * hibernation_set_ops - set the global hibernate operations
64677 * @ops: the hibernation operations to use in subsequent hibernation transitions
64680 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
64681 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
64683 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
64684 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
64685 diff -urNp linux-2.6.32.43/kernel/power/poweroff.c linux-2.6.32.43/kernel/power/poweroff.c
64686 --- linux-2.6.32.43/kernel/power/poweroff.c 2011-03-27 14:31:47.000000000 -0400
64687 +++ linux-2.6.32.43/kernel/power/poweroff.c 2011-04-17 15:56:46.000000000 -0400
64688 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
64689 .enable_mask = SYSRQ_ENABLE_BOOT,
64692 -static int pm_sysrq_init(void)
64693 +static int __init pm_sysrq_init(void)
64695 register_sysrq_key('o', &sysrq_poweroff_op);
64697 diff -urNp linux-2.6.32.43/kernel/power/process.c linux-2.6.32.43/kernel/power/process.c
64698 --- linux-2.6.32.43/kernel/power/process.c 2011-03-27 14:31:47.000000000 -0400
64699 +++ linux-2.6.32.43/kernel/power/process.c 2011-04-17 15:56:46.000000000 -0400
64700 @@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
64701 struct timeval start, end;
64702 u64 elapsed_csecs64;
64703 unsigned int elapsed_csecs;
64704 + bool timedout = false;
64706 do_gettimeofday(&start);
64708 end_time = jiffies + TIMEOUT;
64711 + if (time_after(jiffies, end_time))
64713 read_lock(&tasklist_lock);
64714 do_each_thread(g, p) {
64715 if (frozen(p) || !freezeable(p))
64716 @@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
64717 * It is "frozen enough". If the task does wake
64718 * up, it will immediately call try_to_freeze.
64720 - if (!task_is_stopped_or_traced(p) &&
64721 - !freezer_should_skip(p))
64722 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
64725 + printk(KERN_ERR "Task refusing to freeze:\n");
64726 + sched_show_task(p);
64729 } while_each_thread(g, p);
64730 read_unlock(&tasklist_lock);
64731 yield(); /* Yield is okay here */
64732 - if (time_after(jiffies, end_time))
64735 + } while (todo && !timedout);
64737 do_gettimeofday(&end);
64738 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
64739 diff -urNp linux-2.6.32.43/kernel/power/suspend.c linux-2.6.32.43/kernel/power/suspend.c
64740 --- linux-2.6.32.43/kernel/power/suspend.c 2011-03-27 14:31:47.000000000 -0400
64741 +++ linux-2.6.32.43/kernel/power/suspend.c 2011-04-17 15:56:46.000000000 -0400
64742 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
64743 [PM_SUSPEND_MEM] = "mem",
64746 -static struct platform_suspend_ops *suspend_ops;
64747 +static const struct platform_suspend_ops *suspend_ops;
64750 * suspend_set_ops - Set the global suspend method table.
64751 * @ops: Pointer to ops structure.
64753 -void suspend_set_ops(struct platform_suspend_ops *ops)
64754 +void suspend_set_ops(const struct platform_suspend_ops *ops)
64756 mutex_lock(&pm_mutex);
64758 diff -urNp linux-2.6.32.43/kernel/printk.c linux-2.6.32.43/kernel/printk.c
64759 --- linux-2.6.32.43/kernel/printk.c 2011-03-27 14:31:47.000000000 -0400
64760 +++ linux-2.6.32.43/kernel/printk.c 2011-04-17 15:56:46.000000000 -0400
64761 @@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
64765 +#ifdef CONFIG_GRKERNSEC_DMESG
64766 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
64770 error = security_syslog(type);
64773 diff -urNp linux-2.6.32.43/kernel/profile.c linux-2.6.32.43/kernel/profile.c
64774 --- linux-2.6.32.43/kernel/profile.c 2011-03-27 14:31:47.000000000 -0400
64775 +++ linux-2.6.32.43/kernel/profile.c 2011-05-04 17:56:28.000000000 -0400
64776 @@ -39,7 +39,7 @@ struct profile_hit {
64777 /* Oprofile timer tick hook */
64778 static int (*timer_hook)(struct pt_regs *) __read_mostly;
64780 -static atomic_t *prof_buffer;
64781 +static atomic_unchecked_t *prof_buffer;
64782 static unsigned long prof_len, prof_shift;
64784 int prof_on __read_mostly;
64785 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
64789 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64790 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64791 hits[i].hits = hits[i].pc = 0;
64794 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
64795 * Add the current hit(s) and flush the write-queue out
64796 * to the global buffer:
64798 - atomic_add(nr_hits, &prof_buffer[pc]);
64799 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
64800 for (i = 0; i < NR_PROFILE_HIT; ++i) {
64801 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
64802 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
64803 hits[i].pc = hits[i].hits = 0;
64806 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
64807 if (prof_on != type || !prof_buffer)
64809 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
64810 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64811 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
64813 #endif /* !CONFIG_SMP */
64814 EXPORT_SYMBOL_GPL(profile_hits);
64815 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
64817 buf++; p++; count--; read++;
64819 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
64820 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
64821 if (copy_to_user(buf, (void *)pnt, count))
64824 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
64827 profile_discard_flip_buffers();
64828 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
64829 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
64833 diff -urNp linux-2.6.32.43/kernel/ptrace.c linux-2.6.32.43/kernel/ptrace.c
64834 --- linux-2.6.32.43/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
64835 +++ linux-2.6.32.43/kernel/ptrace.c 2011-05-22 23:02:06.000000000 -0400
64836 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
64840 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
64841 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
64842 + unsigned int log)
64844 const struct cred *cred = current_cred(), *tcred;
64846 @@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
64847 cred->gid != tcred->egid ||
64848 cred->gid != tcred->sgid ||
64849 cred->gid != tcred->gid) &&
64850 - !capable(CAP_SYS_PTRACE)) {
64851 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
64852 + (log && !capable(CAP_SYS_PTRACE)))
64857 @@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
64860 dumpable = get_dumpable(task->mm);
64861 - if (!dumpable && !capable(CAP_SYS_PTRACE))
64863 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
64864 + (log && !capable(CAP_SYS_PTRACE))))
64867 return security_ptrace_access_check(task, mode);
64868 @@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
64872 - err = __ptrace_may_access(task, mode);
64873 + err = __ptrace_may_access(task, mode, 0);
64874 + task_unlock(task);
64878 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
64882 + err = __ptrace_may_access(task, mode, 1);
64886 @@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
64890 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
64891 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
64895 @@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
64896 goto unlock_tasklist;
64898 task->ptrace = PT_PTRACED;
64899 - if (capable(CAP_SYS_PTRACE))
64900 + if (capable_nolog(CAP_SYS_PTRACE))
64901 task->ptrace |= PT_PTRACE_CAP;
64903 __ptrace_link(task, current);
64904 @@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
64908 + pax_track_stack();
64912 int this_len, retval;
64913 @@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
64917 + pax_track_stack();
64921 int this_len, retval;
64922 @@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
64926 + pax_track_stack();
64929 case PTRACE_PEEKTEXT:
64930 case PTRACE_PEEKDATA:
64931 @@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
64932 ret = ptrace_setoptions(child, data);
64934 case PTRACE_GETEVENTMSG:
64935 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
64936 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
64939 case PTRACE_GETSIGINFO:
64940 ret = ptrace_getsiginfo(child, &siginfo);
64942 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
64943 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
64947 case PTRACE_SETSIGINFO:
64948 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
64949 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
64953 @@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
64957 + if (gr_handle_ptrace(child, request)) {
64959 + goto out_put_task_struct;
64962 if (request == PTRACE_ATTACH) {
64963 ret = ptrace_attach(child);
64965 * Some architectures need to do book-keeping after
64970 arch_ptrace_attach(child);
64971 + gr_audit_ptrace(child);
64973 goto out_put_task_struct;
64976 @@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
64977 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
64978 if (copied != sizeof(tmp))
64980 - return put_user(tmp, (unsigned long __user *)data);
64981 + return put_user(tmp, (__force unsigned long __user *)data);
64984 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
64985 @@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
64989 + pax_track_stack();
64992 case PTRACE_PEEKTEXT:
64993 case PTRACE_PEEKDATA:
64994 @@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
64998 + if (gr_handle_ptrace(child, request)) {
65000 + goto out_put_task_struct;
65003 if (request == PTRACE_ATTACH) {
65004 ret = ptrace_attach(child);
65006 * Some architectures need to do book-keeping after
65011 arch_ptrace_attach(child);
65012 + gr_audit_ptrace(child);
65014 goto out_put_task_struct;
65017 diff -urNp linux-2.6.32.43/kernel/rcutorture.c linux-2.6.32.43/kernel/rcutorture.c
65018 --- linux-2.6.32.43/kernel/rcutorture.c 2011-03-27 14:31:47.000000000 -0400
65019 +++ linux-2.6.32.43/kernel/rcutorture.c 2011-05-04 17:56:28.000000000 -0400
65020 @@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
65022 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
65024 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65025 -static atomic_t n_rcu_torture_alloc;
65026 -static atomic_t n_rcu_torture_alloc_fail;
65027 -static atomic_t n_rcu_torture_free;
65028 -static atomic_t n_rcu_torture_mberror;
65029 -static atomic_t n_rcu_torture_error;
65030 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
65031 +static atomic_unchecked_t n_rcu_torture_alloc;
65032 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
65033 +static atomic_unchecked_t n_rcu_torture_free;
65034 +static atomic_unchecked_t n_rcu_torture_mberror;
65035 +static atomic_unchecked_t n_rcu_torture_error;
65036 static long n_rcu_torture_timers;
65037 static struct list_head rcu_torture_removed;
65038 static cpumask_var_t shuffle_tmp_mask;
65039 @@ -187,11 +187,11 @@ rcu_torture_alloc(void)
65041 spin_lock_bh(&rcu_torture_lock);
65042 if (list_empty(&rcu_torture_freelist)) {
65043 - atomic_inc(&n_rcu_torture_alloc_fail);
65044 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
65045 spin_unlock_bh(&rcu_torture_lock);
65048 - atomic_inc(&n_rcu_torture_alloc);
65049 + atomic_inc_unchecked(&n_rcu_torture_alloc);
65050 p = rcu_torture_freelist.next;
65052 spin_unlock_bh(&rcu_torture_lock);
65053 @@ -204,7 +204,7 @@ rcu_torture_alloc(void)
65055 rcu_torture_free(struct rcu_torture *p)
65057 - atomic_inc(&n_rcu_torture_free);
65058 + atomic_inc_unchecked(&n_rcu_torture_free);
65059 spin_lock_bh(&rcu_torture_lock);
65060 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
65061 spin_unlock_bh(&rcu_torture_lock);
65062 @@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
65063 i = rp->rtort_pipe_count;
65064 if (i > RCU_TORTURE_PIPE_LEN)
65065 i = RCU_TORTURE_PIPE_LEN;
65066 - atomic_inc(&rcu_torture_wcount[i]);
65067 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65068 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65069 rp->rtort_mbtest = 0;
65070 rcu_torture_free(rp);
65071 @@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
65072 i = rp->rtort_pipe_count;
65073 if (i > RCU_TORTURE_PIPE_LEN)
65074 i = RCU_TORTURE_PIPE_LEN;
65075 - atomic_inc(&rcu_torture_wcount[i]);
65076 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65077 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
65078 rp->rtort_mbtest = 0;
65079 list_del(&rp->rtort_free);
65080 @@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
65081 i = old_rp->rtort_pipe_count;
65082 if (i > RCU_TORTURE_PIPE_LEN)
65083 i = RCU_TORTURE_PIPE_LEN;
65084 - atomic_inc(&rcu_torture_wcount[i]);
65085 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
65086 old_rp->rtort_pipe_count++;
65087 cur_ops->deferred_free(old_rp);
65089 @@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
65092 if (p->rtort_mbtest == 0)
65093 - atomic_inc(&n_rcu_torture_mberror);
65094 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65095 spin_lock(&rand_lock);
65096 cur_ops->read_delay(&rand);
65097 n_rcu_torture_timers++;
65098 @@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
65101 if (p->rtort_mbtest == 0)
65102 - atomic_inc(&n_rcu_torture_mberror);
65103 + atomic_inc_unchecked(&n_rcu_torture_mberror);
65104 cur_ops->read_delay(&rand);
65106 pipe_count = p->rtort_pipe_count;
65107 @@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
65108 rcu_torture_current,
65109 rcu_torture_current_version,
65110 list_empty(&rcu_torture_freelist),
65111 - atomic_read(&n_rcu_torture_alloc),
65112 - atomic_read(&n_rcu_torture_alloc_fail),
65113 - atomic_read(&n_rcu_torture_free),
65114 - atomic_read(&n_rcu_torture_mberror),
65115 + atomic_read_unchecked(&n_rcu_torture_alloc),
65116 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
65117 + atomic_read_unchecked(&n_rcu_torture_free),
65118 + atomic_read_unchecked(&n_rcu_torture_mberror),
65119 n_rcu_torture_timers);
65120 - if (atomic_read(&n_rcu_torture_mberror) != 0)
65121 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
65122 cnt += sprintf(&page[cnt], " !!!");
65123 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
65125 cnt += sprintf(&page[cnt], "!!! ");
65126 - atomic_inc(&n_rcu_torture_error);
65127 + atomic_inc_unchecked(&n_rcu_torture_error);
65130 cnt += sprintf(&page[cnt], "Reader Pipe: ");
65131 @@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
65132 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
65133 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65134 cnt += sprintf(&page[cnt], " %d",
65135 - atomic_read(&rcu_torture_wcount[i]));
65136 + atomic_read_unchecked(&rcu_torture_wcount[i]));
65138 cnt += sprintf(&page[cnt], "\n");
65139 if (cur_ops->stats)
65140 @@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
65142 if (cur_ops->cleanup)
65143 cur_ops->cleanup();
65144 - if (atomic_read(&n_rcu_torture_error))
65145 + if (atomic_read_unchecked(&n_rcu_torture_error))
65146 rcu_torture_print_module_parms("End of test: FAILURE");
65148 rcu_torture_print_module_parms("End of test: SUCCESS");
65149 @@ -1138,13 +1138,13 @@ rcu_torture_init(void)
65151 rcu_torture_current = NULL;
65152 rcu_torture_current_version = 0;
65153 - atomic_set(&n_rcu_torture_alloc, 0);
65154 - atomic_set(&n_rcu_torture_alloc_fail, 0);
65155 - atomic_set(&n_rcu_torture_free, 0);
65156 - atomic_set(&n_rcu_torture_mberror, 0);
65157 - atomic_set(&n_rcu_torture_error, 0);
65158 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
65159 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
65160 + atomic_set_unchecked(&n_rcu_torture_free, 0);
65161 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
65162 + atomic_set_unchecked(&n_rcu_torture_error, 0);
65163 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
65164 - atomic_set(&rcu_torture_wcount[i], 0);
65165 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
65166 for_each_possible_cpu(cpu) {
65167 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
65168 per_cpu(rcu_torture_count, cpu)[i] = 0;
65169 diff -urNp linux-2.6.32.43/kernel/rcutree.c linux-2.6.32.43/kernel/rcutree.c
65170 --- linux-2.6.32.43/kernel/rcutree.c 2011-03-27 14:31:47.000000000 -0400
65171 +++ linux-2.6.32.43/kernel/rcutree.c 2011-04-17 15:56:46.000000000 -0400
65172 @@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
65174 * Do softirq processing for the current CPU.
65176 -static void rcu_process_callbacks(struct softirq_action *unused)
65177 +static void rcu_process_callbacks(void)
65180 * Memory references from any prior RCU read-side critical sections
65181 diff -urNp linux-2.6.32.43/kernel/rcutree_plugin.h linux-2.6.32.43/kernel/rcutree_plugin.h
65182 --- linux-2.6.32.43/kernel/rcutree_plugin.h 2011-03-27 14:31:47.000000000 -0400
65183 +++ linux-2.6.32.43/kernel/rcutree_plugin.h 2011-04-17 15:56:46.000000000 -0400
65184 @@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
65186 void __rcu_read_lock(void)
65188 - ACCESS_ONCE(current->rcu_read_lock_nesting)++;
65189 + ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
65190 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
65192 EXPORT_SYMBOL_GPL(__rcu_read_lock);
65193 @@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
65194 struct task_struct *t = current;
65196 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
65197 - if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
65198 + if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
65199 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
65200 rcu_read_unlock_special(t);
65202 diff -urNp linux-2.6.32.43/kernel/relay.c linux-2.6.32.43/kernel/relay.c
65203 --- linux-2.6.32.43/kernel/relay.c 2011-03-27 14:31:47.000000000 -0400
65204 +++ linux-2.6.32.43/kernel/relay.c 2011-05-16 21:46:57.000000000 -0400
65205 @@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
65206 unsigned int flags,
65209 - unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
65210 + unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
65211 struct rchan_buf *rbuf = in->private_data;
65212 unsigned int subbuf_size = rbuf->chan->subbuf_size;
65213 uint64_t pos = (uint64_t) *ppos;
65214 @@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
65215 .ops = &relay_pipe_buf_ops,
65216 .spd_release = relay_page_release,
65220 + pax_track_stack();
65222 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
65224 diff -urNp linux-2.6.32.43/kernel/resource.c linux-2.6.32.43/kernel/resource.c
65225 --- linux-2.6.32.43/kernel/resource.c 2011-03-27 14:31:47.000000000 -0400
65226 +++ linux-2.6.32.43/kernel/resource.c 2011-04-17 15:56:46.000000000 -0400
65227 @@ -132,8 +132,18 @@ static const struct file_operations proc
65229 static int __init ioresources_init(void)
65231 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
65232 +#ifdef CONFIG_GRKERNSEC_PROC_USER
65233 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
65234 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
65235 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65236 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
65237 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
65240 proc_create("ioports", 0, NULL, &proc_ioports_operations);
65241 proc_create("iomem", 0, NULL, &proc_iomem_operations);
65245 __initcall(ioresources_init);
65246 diff -urNp linux-2.6.32.43/kernel/rtmutex.c linux-2.6.32.43/kernel/rtmutex.c
65247 --- linux-2.6.32.43/kernel/rtmutex.c 2011-03-27 14:31:47.000000000 -0400
65248 +++ linux-2.6.32.43/kernel/rtmutex.c 2011-04-17 15:56:46.000000000 -0400
65249 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
65251 spin_lock_irqsave(&pendowner->pi_lock, flags);
65253 - WARN_ON(!pendowner->pi_blocked_on);
65254 + BUG_ON(!pendowner->pi_blocked_on);
65255 WARN_ON(pendowner->pi_blocked_on != waiter);
65256 WARN_ON(pendowner->pi_blocked_on->lock != lock);
65258 diff -urNp linux-2.6.32.43/kernel/rtmutex-tester.c linux-2.6.32.43/kernel/rtmutex-tester.c
65259 --- linux-2.6.32.43/kernel/rtmutex-tester.c 2011-03-27 14:31:47.000000000 -0400
65260 +++ linux-2.6.32.43/kernel/rtmutex-tester.c 2011-05-04 17:56:28.000000000 -0400
65262 #define MAX_RT_TEST_MUTEXES 8
65264 static spinlock_t rttest_lock;
65265 -static atomic_t rttest_event;
65266 +static atomic_unchecked_t rttest_event;
65268 struct test_thread_data {
65270 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
65272 case RTTEST_LOCKCONT:
65273 td->mutexes[td->opdata] = 1;
65274 - td->event = atomic_add_return(1, &rttest_event);
65275 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65279 @@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
65282 case RTTEST_RESETEVENT:
65283 - atomic_set(&rttest_event, 0);
65284 + atomic_set_unchecked(&rttest_event, 0);
65288 @@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
65291 td->mutexes[id] = 1;
65292 - td->event = atomic_add_return(1, &rttest_event);
65293 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65294 rt_mutex_lock(&mutexes[id]);
65295 - td->event = atomic_add_return(1, &rttest_event);
65296 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65297 td->mutexes[id] = 4;
65300 @@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
65303 td->mutexes[id] = 1;
65304 - td->event = atomic_add_return(1, &rttest_event);
65305 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65306 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
65307 - td->event = atomic_add_return(1, &rttest_event);
65308 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65309 td->mutexes[id] = ret ? 0 : 4;
65310 return ret ? -EINTR : 0;
65312 @@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
65313 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
65316 - td->event = atomic_add_return(1, &rttest_event);
65317 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65318 rt_mutex_unlock(&mutexes[id]);
65319 - td->event = atomic_add_return(1, &rttest_event);
65320 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65321 td->mutexes[id] = 0;
65324 @@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
65327 td->mutexes[dat] = 2;
65328 - td->event = atomic_add_return(1, &rttest_event);
65329 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65332 case RTTEST_LOCKBKL:
65333 @@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
65336 td->mutexes[dat] = 3;
65337 - td->event = atomic_add_return(1, &rttest_event);
65338 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65341 case RTTEST_LOCKNOWAIT:
65342 @@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
65345 td->mutexes[dat] = 1;
65346 - td->event = atomic_add_return(1, &rttest_event);
65347 + td->event = atomic_add_return_unchecked(1, &rttest_event);
65350 case RTTEST_LOCKBKL:
65351 diff -urNp linux-2.6.32.43/kernel/sched.c linux-2.6.32.43/kernel/sched.c
65352 --- linux-2.6.32.43/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400
65353 +++ linux-2.6.32.43/kernel/sched.c 2011-05-22 23:02:06.000000000 -0400
65354 @@ -5043,7 +5043,7 @@ out:
65355 * In CONFIG_NO_HZ case, the idle load balance owner will do the
65356 * rebalancing for all the cpus for whom scheduler ticks are stopped.
65358 -static void run_rebalance_domains(struct softirq_action *h)
65359 +static void run_rebalance_domains(void)
65361 int this_cpu = smp_processor_id();
65362 struct rq *this_rq = cpu_rq(this_cpu);
65363 @@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void)
65367 + pax_track_stack();
65371 cpu = smp_processor_id();
65372 @@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule);
65373 * Look out! "owner" is an entirely speculative pointer
65374 * access and not reliable.
65376 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
65377 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
65381 @@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lo
65382 * DEBUG_PAGEALLOC could have unmapped it if
65383 * the mutex owner just released it and exited.
65385 - if (probe_kernel_address(&owner->cpu, cpu))
65386 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
65389 - cpu = owner->cpu;
65390 + cpu = task_thread_info(owner)->cpu;
65394 @@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lo
65396 * Is that owner really running on that cpu?
65398 - if (task_thread_info(rq->curr) != owner || need_resched())
65399 + if (rq->curr != owner || need_resched())
65403 @@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p
65404 /* convert nice value [19,-20] to rlimit style value [1,40] */
65405 int nice_rlim = 20 - nice;
65407 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
65409 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
65410 capable(CAP_SYS_NICE));
65412 @@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment)
65416 - if (increment < 0 && !can_nice(current, nice))
65417 + if (increment < 0 && (!can_nice(current, nice) ||
65418 + gr_handle_chroot_nice()))
65421 retval = security_task_setnice(current, nice);
65422 @@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int
65426 - WARN_ON(!sd || !sd->groups);
65427 + BUG_ON(!sd || !sd->groups);
65429 if (cpu != group_first_cpu(sd->groups))
65431 diff -urNp linux-2.6.32.43/kernel/signal.c linux-2.6.32.43/kernel/signal.c
65432 --- linux-2.6.32.43/kernel/signal.c 2011-04-17 17:00:52.000000000 -0400
65433 +++ linux-2.6.32.43/kernel/signal.c 2011-07-14 20:33:33.000000000 -0400
65434 @@ -41,12 +41,12 @@
65436 static struct kmem_cache *sigqueue_cachep;
65438 -static void __user *sig_handler(struct task_struct *t, int sig)
65439 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
65441 return t->sighand->action[sig - 1].sa.sa_handler;
65444 -static int sig_handler_ignored(void __user *handler, int sig)
65445 +static int sig_handler_ignored(__sighandler_t handler, int sig)
65447 /* Is it explicitly or implicitly ignored? */
65448 return handler == SIG_IGN ||
65449 @@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
65450 static int sig_task_ignored(struct task_struct *t, int sig,
65451 int from_ancestor_ns)
65453 - void __user *handler;
65454 + __sighandler_t handler;
65456 handler = sig_handler(t, sig);
65458 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
65460 user = get_uid(__task_cred(t)->user);
65461 atomic_inc(&user->sigpending);
65463 + if (!override_rlimit)
65464 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
65465 if (override_rlimit ||
65466 atomic_read(&user->sigpending) <=
65467 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
65468 @@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
65470 int unhandled_signal(struct task_struct *tsk, int sig)
65472 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
65473 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
65474 if (is_global_init(tsk))
65476 if (handler != SIG_IGN && handler != SIG_DFL)
65477 @@ -627,6 +630,12 @@ static int check_kill_permission(int sig
65481 + /* allow glibc communication via tgkill to other threads in our
65483 + if ((info->si_code != SI_TKILL || sig != (SIGRTMIN+1) ||
65484 + task_tgid_vnr(t) != info->si_pid) && gr_handle_signal(t, sig))
65487 return security_task_kill(t, info, sig, 0);
65490 @@ -968,7 +977,7 @@ __group_send_sig_info(int sig, struct si
65491 return send_signal(sig, info, p, 1);
65496 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
65498 return send_signal(sig, info, t, 0);
65499 @@ -1005,6 +1014,7 @@ force_sig_info(int sig, struct siginfo *
65500 unsigned long int flags;
65501 int ret, blocked, ignored;
65502 struct k_sigaction *action;
65503 + int is_unhandled = 0;
65505 spin_lock_irqsave(&t->sighand->siglock, flags);
65506 action = &t->sighand->action[sig-1];
65507 @@ -1019,9 +1029,18 @@ force_sig_info(int sig, struct siginfo *
65509 if (action->sa.sa_handler == SIG_DFL)
65510 t->signal->flags &= ~SIGNAL_UNKILLABLE;
65511 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
65512 + is_unhandled = 1;
65513 ret = specific_send_sig_info(sig, info, t);
65514 spin_unlock_irqrestore(&t->sighand->siglock, flags);
65516 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
65517 + normal operation */
65518 + if (is_unhandled) {
65519 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
65520 + gr_handle_crash(t, sig);
65526 @@ -1081,8 +1100,11 @@ int group_send_sig_info(int sig, struct
65528 int ret = check_kill_permission(sig, info, p);
65531 + if (!ret && sig) {
65532 ret = do_send_sig_info(sig, info, p, true);
65534 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
65539 @@ -1644,6 +1666,8 @@ void ptrace_notify(int exit_code)
65543 + pax_track_stack();
65545 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
65547 memset(&info, 0, sizeof info);
65548 @@ -2275,7 +2299,15 @@ do_send_specific(pid_t tgid, pid_t pid,
65549 int error = -ESRCH;
65552 - p = find_task_by_vpid(pid);
65553 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
65554 + /* allow glibc communication via tgkill to other threads in our
65556 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
65557 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
65558 + p = find_task_by_vpid_unrestricted(pid);
65561 + p = find_task_by_vpid(pid);
65562 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
65563 error = check_kill_permission(sig, info, p);
65565 diff -urNp linux-2.6.32.43/kernel/smp.c linux-2.6.32.43/kernel/smp.c
65566 --- linux-2.6.32.43/kernel/smp.c 2011-03-27 14:31:47.000000000 -0400
65567 +++ linux-2.6.32.43/kernel/smp.c 2011-04-17 15:56:46.000000000 -0400
65568 @@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
65570 EXPORT_SYMBOL(smp_call_function);
65572 -void ipi_call_lock(void)
65573 +void ipi_call_lock(void) __acquires(call_function.lock)
65575 spin_lock(&call_function.lock);
65578 -void ipi_call_unlock(void)
65579 +void ipi_call_unlock(void) __releases(call_function.lock)
65581 spin_unlock(&call_function.lock);
65584 -void ipi_call_lock_irq(void)
65585 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
65587 spin_lock_irq(&call_function.lock);
65590 -void ipi_call_unlock_irq(void)
65591 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
65593 spin_unlock_irq(&call_function.lock);
65595 diff -urNp linux-2.6.32.43/kernel/softirq.c linux-2.6.32.43/kernel/softirq.c
65596 --- linux-2.6.32.43/kernel/softirq.c 2011-03-27 14:31:47.000000000 -0400
65597 +++ linux-2.6.32.43/kernel/softirq.c 2011-08-05 20:33:55.000000000 -0400
65598 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
65600 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
65602 -char *softirq_to_name[NR_SOFTIRQS] = {
65603 +const char * const softirq_to_name[NR_SOFTIRQS] = {
65604 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
65605 "TASKLET", "SCHED", "HRTIMER", "RCU"
65607 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
65609 asmlinkage void __do_softirq(void)
65611 - struct softirq_action *h;
65612 + const struct softirq_action *h;
65614 int max_restart = MAX_SOFTIRQ_RESTART;
65616 @@ -233,7 +233,7 @@ restart:
65617 kstat_incr_softirqs_this_cpu(h - softirq_vec);
65619 trace_softirq_entry(h, softirq_vec);
65622 trace_softirq_exit(h, softirq_vec);
65623 if (unlikely(prev_count != preempt_count())) {
65624 printk(KERN_ERR "huh, entered softirq %td %s %p"
65625 @@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
65626 local_irq_restore(flags);
65629 -void open_softirq(int nr, void (*action)(struct softirq_action *))
65630 +void open_softirq(int nr, void (*action)(void))
65632 - softirq_vec[nr].action = action;
65633 + pax_open_kernel();
65634 + *(void **)&softirq_vec[nr].action = action;
65635 + pax_close_kernel();
65639 @@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
65641 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
65643 -static void tasklet_action(struct softirq_action *a)
65644 +static void tasklet_action(void)
65646 struct tasklet_struct *list;
65648 @@ -454,7 +456,7 @@ static void tasklet_action(struct softir
65652 -static void tasklet_hi_action(struct softirq_action *a)
65653 +static void tasklet_hi_action(void)
65655 struct tasklet_struct *list;
65657 diff -urNp linux-2.6.32.43/kernel/sys.c linux-2.6.32.43/kernel/sys.c
65658 --- linux-2.6.32.43/kernel/sys.c 2011-03-27 14:31:47.000000000 -0400
65659 +++ linux-2.6.32.43/kernel/sys.c 2011-04-17 15:56:46.000000000 -0400
65660 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
65665 + if (gr_handle_chroot_setpriority(p, niceval)) {
65670 no_nice = security_task_setnice(p, niceval);
65673 @@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
65674 !(user = find_user(who)))
65675 goto out_unlock; /* No processes for this user */
65677 - do_each_thread(g, p)
65678 + do_each_thread(g, p) {
65679 if (__task_cred(p)->uid == who)
65680 error = set_one_prio(p, niceval, error);
65681 - while_each_thread(g, p);
65682 + } while_each_thread(g, p);
65683 if (who != cred->uid)
65684 free_uid(user); /* For find_user() */
65686 @@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
65687 !(user = find_user(who)))
65688 goto out_unlock; /* No processes for this user */
65690 - do_each_thread(g, p)
65691 + do_each_thread(g, p) {
65692 if (__task_cred(p)->uid == who) {
65693 niceval = 20 - task_nice(p);
65694 if (niceval > retval)
65697 - while_each_thread(g, p);
65698 + } while_each_thread(g, p);
65699 if (who != cred->uid)
65700 free_uid(user); /* for find_user() */
65702 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
65706 + if (gr_check_group_change(new->gid, new->egid, -1))
65709 if (rgid != (gid_t) -1 ||
65710 (egid != (gid_t) -1 && egid != old->gid))
65711 new->sgid = new->egid;
65712 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
65717 + if (gr_check_group_change(gid, gid, gid))
65720 if (capable(CAP_SETGID))
65721 new->gid = new->egid = new->sgid = new->fsgid = gid;
65722 else if (gid == old->gid || gid == old->sgid)
65723 @@ -627,6 +640,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
65727 + if (gr_check_user_change(new->uid, new->euid, -1))
65730 if (new->uid != old->uid) {
65731 retval = set_user(new);
65733 @@ -675,6 +691,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
65738 + if (gr_check_crash_uid(uid))
65740 + if (gr_check_user_change(uid, uid, uid))
65743 if (capable(CAP_SETUID)) {
65744 new->suid = new->uid = uid;
65745 if (uid != old->uid) {
65746 @@ -732,6 +754,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
65750 + if (gr_check_user_change(ruid, euid, -1))
65753 if (ruid != (uid_t) -1) {
65755 if (ruid != old->uid) {
65756 @@ -800,6 +825,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
65760 + if (gr_check_group_change(rgid, egid, -1))
65763 if (rgid != (gid_t) -1)
65765 if (egid != (gid_t) -1)
65766 @@ -849,6 +877,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
65767 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
65770 + if (gr_check_user_change(-1, -1, uid))
65773 if (uid == old->uid || uid == old->euid ||
65774 uid == old->suid || uid == old->fsuid ||
65775 capable(CAP_SETUID)) {
65776 @@ -889,6 +920,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
65777 if (gid == old->gid || gid == old->egid ||
65778 gid == old->sgid || gid == old->fsgid ||
65779 capable(CAP_SETGID)) {
65780 + if (gr_check_group_change(-1, -1, gid))
65783 if (gid != old_fsgid) {
65786 @@ -1454,7 +1488,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
65787 error = get_dumpable(me->mm);
65789 case PR_SET_DUMPABLE:
65790 - if (arg2 < 0 || arg2 > 1) {
65795 diff -urNp linux-2.6.32.43/kernel/sysctl.c linux-2.6.32.43/kernel/sysctl.c
65796 --- linux-2.6.32.43/kernel/sysctl.c 2011-03-27 14:31:47.000000000 -0400
65797 +++ linux-2.6.32.43/kernel/sysctl.c 2011-04-17 15:56:46.000000000 -0400
65799 static int deprecated_sysctl_warning(struct __sysctl_args *args);
65801 #if defined(CONFIG_SYSCTL)
65802 +#include <linux/grsecurity.h>
65803 +#include <linux/grinternal.h>
65805 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
65806 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
65808 +extern int gr_handle_chroot_sysctl(const int op);
65810 /* External variables not in a header file. */
65812 @@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
65813 static int proc_taint(struct ctl_table *table, int write,
65814 void __user *buffer, size_t *lenp, loff_t *ppos);
65816 +extern ctl_table grsecurity_table[];
65818 static struct ctl_table root_table[];
65819 static struct ctl_table_root sysctl_table_root;
65820 @@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
65821 int sysctl_legacy_va_layout;
65824 +#ifdef CONFIG_PAX_SOFTMODE
65825 +static ctl_table pax_table[] = {
65827 + .ctl_name = CTL_UNNUMBERED,
65828 + .procname = "softmode",
65829 + .data = &pax_softmode,
65830 + .maxlen = sizeof(unsigned int),
65832 + .proc_handler = &proc_dointvec,
65835 + { .ctl_name = 0 }
65839 extern int prove_locking;
65840 extern int lock_stat;
65842 @@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
65845 static struct ctl_table kern_table[] = {
65846 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
65848 + .ctl_name = CTL_UNNUMBERED,
65849 + .procname = "grsecurity",
65851 + .child = grsecurity_table,
65855 +#ifdef CONFIG_PAX_SOFTMODE
65857 + .ctl_name = CTL_UNNUMBERED,
65858 + .procname = "pax",
65860 + .child = pax_table,
65865 .ctl_name = CTL_UNNUMBERED,
65866 .procname = "sched_child_runs_first",
65867 @@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
65868 .data = &modprobe_path,
65869 .maxlen = KMOD_PATH_LEN,
65871 - .proc_handler = &proc_dostring,
65872 - .strategy = &sysctl_string,
65873 + .proc_handler = &proc_dostring_modpriv,
65874 + .strategy = &sysctl_string_modpriv,
65877 .ctl_name = CTL_UNNUMBERED,
65878 @@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
65880 .proc_handler = &proc_dointvec
65883 + .procname = "heap_stack_gap",
65884 + .data = &sysctl_heap_stack_gap,
65885 + .maxlen = sizeof(sysctl_heap_stack_gap),
65887 + .proc_handler = proc_doulongvec_minmax,
65891 .ctl_name = CTL_UNNUMBERED,
65892 @@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
65896 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
65898 static int parse_table(int __user *name, int nlen,
65899 void __user *oldval, size_t __user *oldlenp,
65900 void __user *newval, size_t newlen,
65901 @@ -1821,7 +1871,7 @@ repeat:
65902 if (n == table->ctl_name) {
65904 if (table->child) {
65905 - if (sysctl_perm(root, table, MAY_EXEC))
65906 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
65910 @@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
65914 + if (table->parent != NULL && table->parent->procname != NULL &&
65915 + table->procname != NULL &&
65916 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
65918 + if (gr_handle_chroot_sysctl(op))
65920 + error = gr_handle_sysctl(table, op);
65924 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
65928 + if (root->permissions)
65929 + mode = root->permissions(root, current->nsproxy, table);
65931 + mode = table->mode;
65933 + return test_perm(mode, op);
65936 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
65941 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
65944 @@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
65945 buffer, lenp, ppos);
65948 +int proc_dostring_modpriv(struct ctl_table *table, int write,
65949 + void __user *buffer, size_t *lenp, loff_t *ppos)
65951 + if (write && !capable(CAP_SYS_MODULE))
65954 + return _proc_do_string(table->data, table->maxlen, write,
65955 + buffer, lenp, ppos);
65959 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
65961 @@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
65962 vleft = table->maxlen / sizeof(unsigned long);
65965 - for (; left && vleft--; i++, min++, max++, first=0) {
65966 + for (; left && vleft--; i++, first=0) {
65970 @@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
65974 +int proc_dostring_modpriv(struct ctl_table *table, int write,
65975 + void __user *buffer, size_t *lenp, loff_t *ppos)
65980 int proc_dointvec(struct ctl_table *table, int write,
65981 void __user *buffer, size_t *lenp, loff_t *ppos)
65983 @@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
65987 +int sysctl_string_modpriv(struct ctl_table *table,
65988 + void __user *oldval, size_t __user *oldlenp,
65989 + void __user *newval, size_t newlen)
65991 + if (newval && newlen && !capable(CAP_SYS_MODULE))
65994 + return sysctl_string(table, oldval, oldlenp, newval, newlen);
65998 * This function makes sure that all of the integers in the vector
65999 * are between the minimum and maximum values given in the arrays
66000 @@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
66004 +int sysctl_string_modpriv(struct ctl_table *table,
66005 + void __user *oldval, size_t __user *oldlenp,
66006 + void __user *newval, size_t newlen)
66011 int sysctl_intvec(struct ctl_table *table,
66012 void __user *oldval, size_t __user *oldlenp,
66013 void __user *newval, size_t newlen)
66014 @@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
66015 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
66016 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
66017 EXPORT_SYMBOL(proc_dostring);
66018 +EXPORT_SYMBOL(proc_dostring_modpriv);
66019 EXPORT_SYMBOL(proc_doulongvec_minmax);
66020 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
66021 EXPORT_SYMBOL(register_sysctl_table);
66022 @@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
66023 EXPORT_SYMBOL(sysctl_jiffies);
66024 EXPORT_SYMBOL(sysctl_ms_jiffies);
66025 EXPORT_SYMBOL(sysctl_string);
66026 +EXPORT_SYMBOL(sysctl_string_modpriv);
66027 EXPORT_SYMBOL(sysctl_data);
66028 EXPORT_SYMBOL(unregister_sysctl_table);
66029 diff -urNp linux-2.6.32.43/kernel/sysctl_check.c linux-2.6.32.43/kernel/sysctl_check.c
66030 --- linux-2.6.32.43/kernel/sysctl_check.c 2011-03-27 14:31:47.000000000 -0400
66031 +++ linux-2.6.32.43/kernel/sysctl_check.c 2011-04-17 15:56:46.000000000 -0400
66032 @@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
66034 if ((table->strategy == sysctl_data) ||
66035 (table->strategy == sysctl_string) ||
66036 + (table->strategy == sysctl_string_modpriv) ||
66037 (table->strategy == sysctl_intvec) ||
66038 (table->strategy == sysctl_jiffies) ||
66039 (table->strategy == sysctl_ms_jiffies) ||
66040 (table->proc_handler == proc_dostring) ||
66041 + (table->proc_handler == proc_dostring_modpriv) ||
66042 (table->proc_handler == proc_dointvec) ||
66043 (table->proc_handler == proc_dointvec_minmax) ||
66044 (table->proc_handler == proc_dointvec_jiffies) ||
66045 diff -urNp linux-2.6.32.43/kernel/taskstats.c linux-2.6.32.43/kernel/taskstats.c
66046 --- linux-2.6.32.43/kernel/taskstats.c 2011-07-13 17:23:04.000000000 -0400
66047 +++ linux-2.6.32.43/kernel/taskstats.c 2011-07-13 17:23:19.000000000 -0400
66049 #include <linux/cgroup.h>
66050 #include <linux/fs.h>
66051 #include <linux/file.h>
66052 +#include <linux/grsecurity.h>
66053 #include <net/genetlink.h>
66054 #include <asm/atomic.h>
66056 +extern int gr_is_taskstats_denied(int pid);
66059 * Maximum length of a cpumask that can be specified in
66060 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
66061 @@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
66063 cpumask_var_t mask;
66065 + if (gr_is_taskstats_denied(current->pid))
66068 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
66071 diff -urNp linux-2.6.32.43/kernel/time/tick-broadcast.c linux-2.6.32.43/kernel/time/tick-broadcast.c
66072 --- linux-2.6.32.43/kernel/time/tick-broadcast.c 2011-05-23 16:56:59.000000000 -0400
66073 +++ linux-2.6.32.43/kernel/time/tick-broadcast.c 2011-05-23 16:57:13.000000000 -0400
66074 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
66075 * then clear the broadcast bit.
66077 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
66078 - int cpu = smp_processor_id();
66079 + cpu = smp_processor_id();
66081 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
66082 tick_broadcast_clear_oneshot(cpu);
66083 diff -urNp linux-2.6.32.43/kernel/time/timekeeping.c linux-2.6.32.43/kernel/time/timekeeping.c
66084 --- linux-2.6.32.43/kernel/time/timekeeping.c 2011-06-25 12:55:35.000000000 -0400
66085 +++ linux-2.6.32.43/kernel/time/timekeeping.c 2011-06-25 12:56:37.000000000 -0400
66087 #include <linux/init.h>
66088 #include <linux/mm.h>
66089 #include <linux/sched.h>
66090 +#include <linux/grsecurity.h>
66091 #include <linux/sysdev.h>
66092 #include <linux/clocksource.h>
66093 #include <linux/jiffies.h>
66094 @@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
66096 struct timespec ts = xtime;
66097 timespec_add_ns(&ts, nsec);
66098 - ACCESS_ONCE(xtime_cache) = ts;
66099 + ACCESS_ONCE_RW(xtime_cache) = ts;
66102 /* must hold xtime_lock */
66103 @@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
66104 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
66107 + gr_log_timechange();
66109 write_seqlock_irqsave(&xtime_lock, flags);
66111 timekeeping_forward_now();
66112 diff -urNp linux-2.6.32.43/kernel/time/timer_list.c linux-2.6.32.43/kernel/time/timer_list.c
66113 --- linux-2.6.32.43/kernel/time/timer_list.c 2011-03-27 14:31:47.000000000 -0400
66114 +++ linux-2.6.32.43/kernel/time/timer_list.c 2011-04-17 15:56:46.000000000 -0400
66115 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
66117 static void print_name_offset(struct seq_file *m, void *sym)
66119 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66120 + SEQ_printf(m, "<%p>", NULL);
66122 char symname[KSYM_NAME_LEN];
66124 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
66125 SEQ_printf(m, "<%p>", sym);
66127 SEQ_printf(m, "%s", symname);
66132 @@ -112,7 +116,11 @@ next_one:
66134 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
66136 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66137 + SEQ_printf(m, " .base: %p\n", NULL);
66139 SEQ_printf(m, " .base: %p\n", base);
66141 SEQ_printf(m, " .index: %d\n",
66143 SEQ_printf(m, " .resolution: %Lu nsecs\n",
66144 @@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
66146 struct proc_dir_entry *pe;
66148 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66149 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
66151 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
66156 diff -urNp linux-2.6.32.43/kernel/time/timer_stats.c linux-2.6.32.43/kernel/time/timer_stats.c
66157 --- linux-2.6.32.43/kernel/time/timer_stats.c 2011-03-27 14:31:47.000000000 -0400
66158 +++ linux-2.6.32.43/kernel/time/timer_stats.c 2011-05-04 17:56:28.000000000 -0400
66159 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
66160 static unsigned long nr_entries;
66161 static struct entry entries[MAX_ENTRIES];
66163 -static atomic_t overflow_count;
66164 +static atomic_unchecked_t overflow_count;
66167 * The entries are in a hash-table, for fast lookup:
66168 @@ -140,7 +140,7 @@ static void reset_entries(void)
66170 memset(entries, 0, sizeof(entries));
66171 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
66172 - atomic_set(&overflow_count, 0);
66173 + atomic_set_unchecked(&overflow_count, 0);
66176 static struct entry *alloc_entry(void)
66177 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
66181 - atomic_inc(&overflow_count);
66182 + atomic_inc_unchecked(&overflow_count);
66185 spin_unlock_irqrestore(lock, flags);
66186 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
66188 static void print_name_offset(struct seq_file *m, unsigned long addr)
66190 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66191 + seq_printf(m, "<%p>", NULL);
66193 char symname[KSYM_NAME_LEN];
66195 if (lookup_symbol_name(addr, symname) < 0)
66196 seq_printf(m, "<%p>", (void *)addr);
66198 seq_printf(m, "%s", symname);
66202 static int tstats_show(struct seq_file *m, void *v)
66203 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
66205 seq_puts(m, "Timer Stats Version: v0.2\n");
66206 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
66207 - if (atomic_read(&overflow_count))
66208 + if (atomic_read_unchecked(&overflow_count))
66209 seq_printf(m, "Overflow: %d entries\n",
66210 - atomic_read(&overflow_count));
66211 + atomic_read_unchecked(&overflow_count));
66213 for (i = 0; i < nr_entries; i++) {
66214 entry = entries + i;
66215 @@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
66217 struct proc_dir_entry *pe;
66219 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66220 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
66222 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
66227 diff -urNp linux-2.6.32.43/kernel/time.c linux-2.6.32.43/kernel/time.c
66228 --- linux-2.6.32.43/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
66229 +++ linux-2.6.32.43/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
66230 @@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
66234 + /* we log in do_settimeofday called below, so don't log twice
66237 + gr_log_timechange();
66239 /* SMP safe, global irq locking makes it work. */
66241 update_vsyscall_tz();
66242 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
66243 * Avoid unnecessary multiplications/divisions in the
66244 * two most common HZ cases:
66246 -unsigned int inline jiffies_to_msecs(const unsigned long j)
66247 +inline unsigned int jiffies_to_msecs(const unsigned long j)
66249 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
66250 return (MSEC_PER_SEC / HZ) * j;
66251 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
66253 EXPORT_SYMBOL(jiffies_to_msecs);
66255 -unsigned int inline jiffies_to_usecs(const unsigned long j)
66256 +inline unsigned int jiffies_to_usecs(const unsigned long j)
66258 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
66259 return (USEC_PER_SEC / HZ) * j;
66260 diff -urNp linux-2.6.32.43/kernel/timer.c linux-2.6.32.43/kernel/timer.c
66261 --- linux-2.6.32.43/kernel/timer.c 2011-03-27 14:31:47.000000000 -0400
66262 +++ linux-2.6.32.43/kernel/timer.c 2011-04-17 15:56:46.000000000 -0400
66263 @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
66265 * This function runs timers and the timer-tq in bottom half context.
66267 -static void run_timer_softirq(struct softirq_action *h)
66268 +static void run_timer_softirq(void)
66270 struct tvec_base *base = __get_cpu_var(tvec_bases);
66272 diff -urNp linux-2.6.32.43/kernel/trace/blktrace.c linux-2.6.32.43/kernel/trace/blktrace.c
66273 --- linux-2.6.32.43/kernel/trace/blktrace.c 2011-03-27 14:31:47.000000000 -0400
66274 +++ linux-2.6.32.43/kernel/trace/blktrace.c 2011-05-04 17:56:28.000000000 -0400
66275 @@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
66276 struct blk_trace *bt = filp->private_data;
66279 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
66280 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
66282 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
66284 @@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
66287 bt = buf->chan->private_data;
66288 - atomic_inc(&bt->dropped);
66289 + atomic_inc_unchecked(&bt->dropped);
66293 @@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
66297 - atomic_set(&bt->dropped, 0);
66298 + atomic_set_unchecked(&bt->dropped, 0);
66301 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
66302 diff -urNp linux-2.6.32.43/kernel/trace/ftrace.c linux-2.6.32.43/kernel/trace/ftrace.c
66303 --- linux-2.6.32.43/kernel/trace/ftrace.c 2011-06-25 12:55:35.000000000 -0400
66304 +++ linux-2.6.32.43/kernel/trace/ftrace.c 2011-06-25 12:56:37.000000000 -0400
66305 @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
66309 + ret = ftrace_arch_code_modify_prepare();
66310 + FTRACE_WARN_ON(ret);
66314 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
66315 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
66317 ftrace_bug(ret, ip);
66318 rec->flags |= FTRACE_FL_FAILED;
66322 + return ret ? 0 : 1;
66326 diff -urNp linux-2.6.32.43/kernel/trace/ring_buffer.c linux-2.6.32.43/kernel/trace/ring_buffer.c
66327 --- linux-2.6.32.43/kernel/trace/ring_buffer.c 2011-03-27 14:31:47.000000000 -0400
66328 +++ linux-2.6.32.43/kernel/trace/ring_buffer.c 2011-04-17 15:56:46.000000000 -0400
66329 @@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
66330 * the reader page). But if the next page is a header page,
66331 * its flags will be non zero.
66335 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
66336 struct buffer_page *page, struct list_head *list)
66338 diff -urNp linux-2.6.32.43/kernel/trace/trace.c linux-2.6.32.43/kernel/trace/trace.c
66339 --- linux-2.6.32.43/kernel/trace/trace.c 2011-03-27 14:31:47.000000000 -0400
66340 +++ linux-2.6.32.43/kernel/trace/trace.c 2011-05-16 21:46:57.000000000 -0400
66341 @@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
66345 + pax_track_stack();
66347 /* copy the tracer to avoid using a global lock all around */
66348 mutex_lock(&trace_types_lock);
66349 if (unlikely(old_tracer != current_trace && current_trace)) {
66350 @@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
66351 int entries, size, i;
66354 + pax_track_stack();
66356 if (*ppos & (PAGE_SIZE - 1)) {
66357 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
66359 @@ -3816,10 +3820,9 @@ static const struct file_operations trac
66363 -static struct dentry *d_tracer;
66365 struct dentry *tracing_init_dentry(void)
66367 + static struct dentry *d_tracer;
66371 @@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
66375 -static struct dentry *d_percpu;
66377 struct dentry *tracing_dentry_percpu(void)
66379 + static struct dentry *d_percpu;
66381 struct dentry *d_tracer;
66383 diff -urNp linux-2.6.32.43/kernel/trace/trace_events.c linux-2.6.32.43/kernel/trace/trace_events.c
66384 --- linux-2.6.32.43/kernel/trace/trace_events.c 2011-03-27 14:31:47.000000000 -0400
66385 +++ linux-2.6.32.43/kernel/trace/trace_events.c 2011-08-05 20:33:55.000000000 -0400
66386 @@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
66387 * Modules must own their file_operations to keep up with
66388 * reference counting.
66391 struct ftrace_module_file_ops {
66392 struct list_head list;
66393 struct module *mod;
66394 - struct file_operations id;
66395 - struct file_operations enable;
66396 - struct file_operations format;
66397 - struct file_operations filter;
66400 static void remove_subsystem_dir(const char *name)
66401 @@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
66403 file_ops->mod = mod;
66405 - file_ops->id = ftrace_event_id_fops;
66406 - file_ops->id.owner = mod;
66408 - file_ops->enable = ftrace_enable_fops;
66409 - file_ops->enable.owner = mod;
66411 - file_ops->filter = ftrace_event_filter_fops;
66412 - file_ops->filter.owner = mod;
66414 - file_ops->format = ftrace_event_format_fops;
66415 - file_ops->format.owner = mod;
66416 + pax_open_kernel();
66417 + *(void **)&mod->trace_id.owner = mod;
66418 + *(void **)&mod->trace_enable.owner = mod;
66419 + *(void **)&mod->trace_filter.owner = mod;
66420 + *(void **)&mod->trace_format.owner = mod;
66421 + pax_close_kernel();
66423 list_add(&file_ops->list, &ftrace_module_file_list);
66425 @@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
66427 list_add(&call->list, &ftrace_events);
66428 event_create_dir(call, d_events,
66429 - &file_ops->id, &file_ops->enable,
66430 - &file_ops->filter, &file_ops->format);
66431 + &mod->trace_id, &mod->trace_enable,
66432 + &mod->trace_filter, &mod->trace_format);
66436 diff -urNp linux-2.6.32.43/kernel/trace/trace_mmiotrace.c linux-2.6.32.43/kernel/trace/trace_mmiotrace.c
66437 --- linux-2.6.32.43/kernel/trace/trace_mmiotrace.c 2011-03-27 14:31:47.000000000 -0400
66438 +++ linux-2.6.32.43/kernel/trace/trace_mmiotrace.c 2011-05-04 17:56:28.000000000 -0400
66439 @@ -23,7 +23,7 @@ struct header_iter {
66440 static struct trace_array *mmio_trace_array;
66441 static bool overrun_detected;
66442 static unsigned long prev_overruns;
66443 -static atomic_t dropped_count;
66444 +static atomic_unchecked_t dropped_count;
66446 static void mmio_reset_data(struct trace_array *tr)
66448 @@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
66450 static unsigned long count_overruns(struct trace_iterator *iter)
66452 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
66453 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
66454 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
66456 if (over > prev_overruns)
66457 @@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
66458 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
66459 sizeof(*entry), 0, pc);
66461 - atomic_inc(&dropped_count);
66462 + atomic_inc_unchecked(&dropped_count);
66465 entry = ring_buffer_event_data(event);
66466 @@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
66467 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
66468 sizeof(*entry), 0, pc);
66470 - atomic_inc(&dropped_count);
66471 + atomic_inc_unchecked(&dropped_count);
66474 entry = ring_buffer_event_data(event);
66475 diff -urNp linux-2.6.32.43/kernel/trace/trace_output.c linux-2.6.32.43/kernel/trace/trace_output.c
66476 --- linux-2.6.32.43/kernel/trace/trace_output.c 2011-03-27 14:31:47.000000000 -0400
66477 +++ linux-2.6.32.43/kernel/trace/trace_output.c 2011-04-17 15:56:46.000000000 -0400
66478 @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
66480 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
66482 - p = mangle_path(s->buffer + s->len, p, "\n");
66483 + p = mangle_path(s->buffer + s->len, p, "\n\\");
66485 s->len = p - s->buffer;
66487 diff -urNp linux-2.6.32.43/kernel/trace/trace_stack.c linux-2.6.32.43/kernel/trace/trace_stack.c
66488 --- linux-2.6.32.43/kernel/trace/trace_stack.c 2011-03-27 14:31:47.000000000 -0400
66489 +++ linux-2.6.32.43/kernel/trace/trace_stack.c 2011-04-17 15:56:46.000000000 -0400
66490 @@ -50,7 +50,7 @@ static inline void check_stack(void)
66493 /* we do not handle interrupt stacks yet */
66494 - if (!object_is_on_stack(&this_size))
66495 + if (!object_starts_on_stack(&this_size))
66498 local_irq_save(flags);
66499 diff -urNp linux-2.6.32.43/kernel/trace/trace_workqueue.c linux-2.6.32.43/kernel/trace/trace_workqueue.c
66500 --- linux-2.6.32.43/kernel/trace/trace_workqueue.c 2011-03-27 14:31:47.000000000 -0400
66501 +++ linux-2.6.32.43/kernel/trace/trace_workqueue.c 2011-04-17 15:56:46.000000000 -0400
66502 @@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
66505 /* Can be inserted from interrupt or user context, need to be atomic */
66506 - atomic_t inserted;
66507 + atomic_unchecked_t inserted;
66509 * Don't need to be atomic, works are serialized in a single workqueue thread
66511 @@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
66512 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
66513 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
66514 if (node->pid == wq_thread->pid) {
66515 - atomic_inc(&node->inserted);
66516 + atomic_inc_unchecked(&node->inserted);
66520 @@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
66521 tsk = get_pid_task(pid, PIDTYPE_PID);
66523 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
66524 - atomic_read(&cws->inserted), cws->executed,
66525 + atomic_read_unchecked(&cws->inserted), cws->executed,
66527 put_task_struct(tsk);
66529 diff -urNp linux-2.6.32.43/kernel/user.c linux-2.6.32.43/kernel/user.c
66530 --- linux-2.6.32.43/kernel/user.c 2011-03-27 14:31:47.000000000 -0400
66531 +++ linux-2.6.32.43/kernel/user.c 2011-04-17 15:56:46.000000000 -0400
66532 @@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
66533 spin_lock_irq(&uidhash_lock);
66534 up = uid_hash_find(uid, hashent);
66537 key_put(new->uid_keyring);
66538 key_put(new->session_keyring);
66539 kmem_cache_free(uid_cachep, new);
66540 diff -urNp linux-2.6.32.43/lib/bug.c linux-2.6.32.43/lib/bug.c
66541 --- linux-2.6.32.43/lib/bug.c 2011-03-27 14:31:47.000000000 -0400
66542 +++ linux-2.6.32.43/lib/bug.c 2011-04-17 15:56:46.000000000 -0400
66543 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
66544 return BUG_TRAP_TYPE_NONE;
66546 bug = find_bug(bugaddr);
66548 + return BUG_TRAP_TYPE_NONE;
66550 printk(KERN_EMERG "------------[ cut here ]------------\n");
66552 diff -urNp linux-2.6.32.43/lib/debugobjects.c linux-2.6.32.43/lib/debugobjects.c
66553 --- linux-2.6.32.43/lib/debugobjects.c 2011-07-13 17:23:04.000000000 -0400
66554 +++ linux-2.6.32.43/lib/debugobjects.c 2011-07-13 17:23:19.000000000 -0400
66555 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
66559 - is_on_stack = object_is_on_stack(addr);
66560 + is_on_stack = object_starts_on_stack(addr);
66561 if (is_on_stack == onstack)
66564 diff -urNp linux-2.6.32.43/lib/dma-debug.c linux-2.6.32.43/lib/dma-debug.c
66565 --- linux-2.6.32.43/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400
66566 +++ linux-2.6.32.43/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400
66567 @@ -861,7 +861,7 @@ out:
66569 static void check_for_stack(struct device *dev, void *addr)
66571 - if (object_is_on_stack(addr))
66572 + if (object_starts_on_stack(addr))
66573 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
66574 "stack [addr=%p]\n", addr);
66576 diff -urNp linux-2.6.32.43/lib/idr.c linux-2.6.32.43/lib/idr.c
66577 --- linux-2.6.32.43/lib/idr.c 2011-03-27 14:31:47.000000000 -0400
66578 +++ linux-2.6.32.43/lib/idr.c 2011-04-17 15:56:46.000000000 -0400
66579 @@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
66580 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
66582 /* if already at the top layer, we need to grow */
66583 - if (id >= 1 << (idp->layers * IDR_BITS)) {
66584 + if (id >= (1 << (idp->layers * IDR_BITS))) {
66586 return IDR_NEED_TO_GROW;
66588 diff -urNp linux-2.6.32.43/lib/inflate.c linux-2.6.32.43/lib/inflate.c
66589 --- linux-2.6.32.43/lib/inflate.c 2011-03-27 14:31:47.000000000 -0400
66590 +++ linux-2.6.32.43/lib/inflate.c 2011-04-17 15:56:46.000000000 -0400
66591 @@ -266,7 +266,7 @@ static void free(void *where)
66592 malloc_ptr = free_mem_ptr;
66595 -#define malloc(a) kmalloc(a, GFP_KERNEL)
66596 +#define malloc(a) kmalloc((a), GFP_KERNEL)
66597 #define free(a) kfree(a)
66600 diff -urNp linux-2.6.32.43/lib/Kconfig.debug linux-2.6.32.43/lib/Kconfig.debug
66601 --- linux-2.6.32.43/lib/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
66602 +++ linux-2.6.32.43/lib/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
66603 @@ -905,7 +905,7 @@ config LATENCYTOP
66607 - depends on HAVE_LATENCYTOP_SUPPORT
66608 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
66610 Enable this option if you want to use the LatencyTOP tool
66611 to find out which userspace is blocking on what kernel operations.
66612 diff -urNp linux-2.6.32.43/lib/kobject.c linux-2.6.32.43/lib/kobject.c
66613 --- linux-2.6.32.43/lib/kobject.c 2011-03-27 14:31:47.000000000 -0400
66614 +++ linux-2.6.32.43/lib/kobject.c 2011-04-17 15:56:46.000000000 -0400
66615 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
66619 -struct sysfs_ops kobj_sysfs_ops = {
66620 +const struct sysfs_ops kobj_sysfs_ops = {
66621 .show = kobj_attr_show,
66622 .store = kobj_attr_store,
66624 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
66625 * If the kset was not able to be created, NULL will be returned.
66627 static struct kset *kset_create(const char *name,
66628 - struct kset_uevent_ops *uevent_ops,
66629 + const struct kset_uevent_ops *uevent_ops,
66630 struct kobject *parent_kobj)
66633 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
66634 * If the kset was not able to be created, NULL will be returned.
66636 struct kset *kset_create_and_add(const char *name,
66637 - struct kset_uevent_ops *uevent_ops,
66638 + const struct kset_uevent_ops *uevent_ops,
66639 struct kobject *parent_kobj)
66642 diff -urNp linux-2.6.32.43/lib/kobject_uevent.c linux-2.6.32.43/lib/kobject_uevent.c
66643 --- linux-2.6.32.43/lib/kobject_uevent.c 2011-03-27 14:31:47.000000000 -0400
66644 +++ linux-2.6.32.43/lib/kobject_uevent.c 2011-04-17 15:56:46.000000000 -0400
66645 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
66646 const char *subsystem;
66647 struct kobject *top_kobj;
66649 - struct kset_uevent_ops *uevent_ops;
66650 + const struct kset_uevent_ops *uevent_ops;
66654 diff -urNp linux-2.6.32.43/lib/kref.c linux-2.6.32.43/lib/kref.c
66655 --- linux-2.6.32.43/lib/kref.c 2011-03-27 14:31:47.000000000 -0400
66656 +++ linux-2.6.32.43/lib/kref.c 2011-04-17 15:56:46.000000000 -0400
66657 @@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
66659 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
66661 - WARN_ON(release == NULL);
66662 + BUG_ON(release == NULL);
66663 WARN_ON(release == (void (*)(struct kref *))kfree);
66665 if (atomic_dec_and_test(&kref->refcount)) {
66666 diff -urNp linux-2.6.32.43/lib/parser.c linux-2.6.32.43/lib/parser.c
66667 --- linux-2.6.32.43/lib/parser.c 2011-03-27 14:31:47.000000000 -0400
66668 +++ linux-2.6.32.43/lib/parser.c 2011-04-17 15:56:46.000000000 -0400
66669 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
66673 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
66674 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
66677 memcpy(buf, s->from, s->to - s->from);
66678 diff -urNp linux-2.6.32.43/lib/radix-tree.c linux-2.6.32.43/lib/radix-tree.c
66679 --- linux-2.6.32.43/lib/radix-tree.c 2011-03-27 14:31:47.000000000 -0400
66680 +++ linux-2.6.32.43/lib/radix-tree.c 2011-04-17 15:56:46.000000000 -0400
66681 @@ -81,7 +81,7 @@ struct radix_tree_preload {
66683 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
66685 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
66686 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
66688 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
66690 diff -urNp linux-2.6.32.43/lib/random32.c linux-2.6.32.43/lib/random32.c
66691 --- linux-2.6.32.43/lib/random32.c 2011-03-27 14:31:47.000000000 -0400
66692 +++ linux-2.6.32.43/lib/random32.c 2011-04-17 15:56:46.000000000 -0400
66693 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
66695 static inline u32 __seed(u32 x, u32 m)
66697 - return (x < m) ? x + m : x;
66698 + return (x <= m) ? x + m + 1 : x;
66702 diff -urNp linux-2.6.32.43/lib/vsprintf.c linux-2.6.32.43/lib/vsprintf.c
66703 --- linux-2.6.32.43/lib/vsprintf.c 2011-03-27 14:31:47.000000000 -0400
66704 +++ linux-2.6.32.43/lib/vsprintf.c 2011-04-17 15:56:46.000000000 -0400
66706 * - scnprintf and vscnprintf
66709 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66710 +#define __INCLUDED_BY_HIDESYM 1
66712 #include <stdarg.h>
66713 #include <linux/module.h>
66714 #include <linux/types.h>
66715 @@ -546,12 +549,12 @@ static char *number(char *buf, char *end
66719 -static char *string(char *buf, char *end, char *s, struct printf_spec spec)
66720 +static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
66724 if ((unsigned long)s < PAGE_SIZE)
66728 len = strnlen(s, spec.precision);
66730 @@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
66731 unsigned long value = (unsigned long) ptr;
66732 #ifdef CONFIG_KALLSYMS
66733 char sym[KSYM_SYMBOL_LEN];
66734 - if (ext != 'f' && ext != 's')
66735 + if (ext != 'f' && ext != 's' && ext != 'a')
66736 sprint_symbol(sym, value);
66738 kallsyms_lookup(value, NULL, NULL, NULL, sym);
66739 @@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
66740 * - 'f' For simple symbolic function names without offset
66741 * - 'S' For symbolic direct pointers with offset
66742 * - 's' For symbolic direct pointers without offset
66743 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
66744 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
66745 * - 'R' For a struct resource pointer, it prints the range of
66746 * addresses (not the name nor the flags)
66747 * - 'M' For a 6-byte MAC address, it prints the address in the
66748 @@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
66749 struct printf_spec spec)
66752 - return string(buf, end, "(null)", spec);
66753 + return string(buf, end, "(nil)", spec);
66757 @@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
66761 +#ifdef CONFIG_GRKERNSEC_HIDESYM
66764 + return symbol_string(buf, end, ptr, spec, *fmt);
66767 + /* Fallthrough */
66769 return symbol_string(buf, end, ptr, spec, *fmt);
66771 return resource_string(buf, end, ptr, spec);
66772 @@ -1445,7 +1458,7 @@ do { \
66774 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
66775 || (unsigned long)save_str < PAGE_SIZE)
66776 - save_str = "<NULL>";
66777 + save_str = "(null)";
66778 len = strlen(save_str);
66779 if (str + len + 1 < end)
66780 memcpy(str, save_str, len + 1);
66781 @@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
66782 typeof(type) value; \
66783 if (sizeof(type) == 8) { \
66784 args = PTR_ALIGN(args, sizeof(u32)); \
66785 - *(u32 *)&value = *(u32 *)args; \
66786 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
66787 + *(u32 *)&value = *(const u32 *)args; \
66788 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
66790 args = PTR_ALIGN(args, sizeof(type)); \
66791 - value = *(typeof(type) *)args; \
66792 + value = *(const typeof(type) *)args; \
66794 args += sizeof(type); \
66796 @@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
66797 const char *str_arg = args;
66798 size_t len = strlen(str_arg);
66800 - str = string(str, end, (char *)str_arg, spec);
66801 + str = string(str, end, str_arg, spec);
66805 diff -urNp linux-2.6.32.43/localversion-grsec linux-2.6.32.43/localversion-grsec
66806 --- linux-2.6.32.43/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
66807 +++ linux-2.6.32.43/localversion-grsec 2011-04-17 15:56:46.000000000 -0400
66810 diff -urNp linux-2.6.32.43/Makefile linux-2.6.32.43/Makefile
66811 --- linux-2.6.32.43/Makefile 2011-07-13 17:23:04.000000000 -0400
66812 +++ linux-2.6.32.43/Makefile 2011-08-05 20:33:55.000000000 -0400
66813 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
66817 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
66818 -HOSTCXXFLAGS = -O2
66819 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
66820 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
66821 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
66823 # Decide whether to build built-in, modular, or both.
66824 # Normally, just do built-in.
66825 @@ -342,10 +343,12 @@ LINUXINCLUDE := -Iinclude \
66826 KBUILD_CPPFLAGS := -D__KERNEL__
66828 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
66829 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
66830 -fno-strict-aliasing -fno-common \
66831 -Werror-implicit-function-declaration \
66832 -Wno-format-security \
66833 -fno-delete-null-pointer-checks
66834 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
66835 KBUILD_AFLAGS := -D__ASSEMBLY__
66837 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
66838 @@ -376,8 +379,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
66839 # Rules shared between *config targets and build targets
66841 # Basic helpers built in scripts/
66842 -PHONY += scripts_basic
66844 +PHONY += scripts_basic gcc-plugins
66845 +scripts_basic: gcc-plugins
66846 $(Q)$(MAKE) $(build)=scripts/basic
66848 # To avoid any implicit rule to kick in, define an empty command.
66849 @@ -403,7 +406,7 @@ endif
66850 # of make so .config is not included in this case either (for *config).
66852 no-dot-config-targets := clean mrproper distclean \
66853 - cscope TAGS tags help %docs check% \
66854 + cscope gtags TAGS tags help %docs check% \
66855 include/linux/version.h headers_% \
66856 kernelrelease kernelversion
66858 @@ -526,6 +529,25 @@ else
66859 KBUILD_CFLAGS += -O2
66862 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC)), y)
66863 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so
66864 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
66865 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
66867 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
66868 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN
66870 + $(Q)$(MAKE) $(build)=tools/gcc
66873 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
66874 + $(Q)echo "warning, your gcc installation does not support plugins, perhaps the necessary headers are missing?"
66876 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
66878 + $(Q)echo "PAX_MEMORY_STACKLEAK and other will be less secure"
66881 include $(srctree)/arch/$(SRCARCH)/Makefile
66883 ifneq ($(CONFIG_FRAME_WARN),0)
66884 @@ -644,7 +666,7 @@ export mod_strip_cmd
66887 ifeq ($(KBUILD_EXTMOD),)
66888 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
66889 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
66891 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
66892 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
66893 @@ -970,7 +992,7 @@ ifneq ($(KBUILD_SRC),)
66896 # prepare2 creates a makefile if using a separate output directory
66897 -prepare2: prepare3 outputmakefile
66898 +prepare2: prepare3 outputmakefile gcc-plugins
66900 prepare1: prepare2 include/linux/version.h include/linux/utsrelease.h \
66901 include/asm include/config/auto.conf
66902 @@ -1198,7 +1220,7 @@ MRPROPER_FILES += .config .config.old in
66903 include/linux/autoconf.h include/linux/version.h \
66904 include/linux/utsrelease.h \
66905 include/linux/bounds.h include/asm*/asm-offsets.h \
66906 - Module.symvers Module.markers tags TAGS cscope*
66907 + Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
66909 # clean - Delete most, but leave enough to build external modules
66911 @@ -1289,6 +1311,7 @@ help:
66912 @echo ' modules_prepare - Set up for building external modules'
66913 @echo ' tags/TAGS - Generate tags file for editors'
66914 @echo ' cscope - Generate cscope index'
66915 + @echo ' gtags - Generate GNU GLOBAL index'
66916 @echo ' kernelrelease - Output the release version string'
66917 @echo ' kernelversion - Output the version stored in Makefile'
66918 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
66919 @@ -1421,7 +1444,7 @@ clean: $(clean-dirs)
66921 $(call cmd,rmfiles)
66922 @find $(KBUILD_EXTMOD) $(RCS_FIND_IGNORE) \
66923 - \( -name '*.[oas]' -o -name '*.ko' -o -name '.*.cmd' \
66924 + \( -name '*.[oas]' -o -name '*.[ks]o' -o -name '.*.cmd' \
66925 -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \
66926 -o -name '*.gcno' \) -type f -print | xargs rm -f
66928 @@ -1445,7 +1468,7 @@ endif # KBUILD_EXTMOD
66929 quiet_cmd_tags = GEN $@
66930 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
66932 -tags TAGS cscope: FORCE
66933 +tags TAGS cscope gtags: FORCE
66936 # Scripts to check various things for consistency
66937 diff -urNp linux-2.6.32.43/mm/backing-dev.c linux-2.6.32.43/mm/backing-dev.c
66938 --- linux-2.6.32.43/mm/backing-dev.c 2011-03-27 14:31:47.000000000 -0400
66939 +++ linux-2.6.32.43/mm/backing-dev.c 2011-05-04 17:56:28.000000000 -0400
66940 @@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
66941 * Add the default flusher task that gets created for any bdi
66942 * that has dirty data pending writeout
66944 -void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
66945 +static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
66947 if (!bdi_cap_writeback_dirty(bdi))
66949 diff -urNp linux-2.6.32.43/mm/filemap.c linux-2.6.32.43/mm/filemap.c
66950 --- linux-2.6.32.43/mm/filemap.c 2011-03-27 14:31:47.000000000 -0400
66951 +++ linux-2.6.32.43/mm/filemap.c 2011-04-17 15:56:46.000000000 -0400
66952 @@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
66953 struct address_space *mapping = file->f_mapping;
66955 if (!mapping->a_ops->readpage)
66958 file_accessed(file);
66959 vma->vm_ops = &generic_file_vm_ops;
66960 vma->vm_flags |= VM_CAN_NONLINEAR;
66961 @@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
66962 *pos = i_size_read(inode);
66964 if (limit != RLIM_INFINITY) {
66965 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
66966 if (*pos >= limit) {
66967 send_sig(SIGXFSZ, current, 0);
66969 diff -urNp linux-2.6.32.43/mm/fremap.c linux-2.6.32.43/mm/fremap.c
66970 --- linux-2.6.32.43/mm/fremap.c 2011-03-27 14:31:47.000000000 -0400
66971 +++ linux-2.6.32.43/mm/fremap.c 2011-04-17 15:56:46.000000000 -0400
66972 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
66974 vma = find_vma(mm, start);
66976 +#ifdef CONFIG_PAX_SEGMEXEC
66977 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
66982 * Make sure the vma is shared, that it supports prefaulting,
66983 * and that the remapped range is valid and fully within
66984 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
66986 * drop PG_Mlocked flag for over-mapped range
66988 - unsigned int saved_flags = vma->vm_flags;
66989 + unsigned long saved_flags = vma->vm_flags;
66990 munlock_vma_pages_range(vma, start, start + size);
66991 vma->vm_flags = saved_flags;
66993 diff -urNp linux-2.6.32.43/mm/highmem.c linux-2.6.32.43/mm/highmem.c
66994 --- linux-2.6.32.43/mm/highmem.c 2011-03-27 14:31:47.000000000 -0400
66995 +++ linux-2.6.32.43/mm/highmem.c 2011-04-17 15:56:46.000000000 -0400
66996 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
66997 * So no dangers, even with speculative execution.
66999 page = pte_page(pkmap_page_table[i]);
67000 + pax_open_kernel();
67001 pte_clear(&init_mm, (unsigned long)page_address(page),
67002 &pkmap_page_table[i]);
67004 + pax_close_kernel();
67005 set_page_address(page, NULL);
67008 @@ -177,9 +178,11 @@ start:
67011 vaddr = PKMAP_ADDR(last_pkmap_nr);
67013 + pax_open_kernel();
67014 set_pte_at(&init_mm, vaddr,
67015 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
67017 + pax_close_kernel();
67018 pkmap_count[last_pkmap_nr] = 1;
67019 set_page_address(page, (void *)vaddr);
67021 diff -urNp linux-2.6.32.43/mm/hugetlb.c linux-2.6.32.43/mm/hugetlb.c
67022 --- linux-2.6.32.43/mm/hugetlb.c 2011-07-13 17:23:04.000000000 -0400
67023 +++ linux-2.6.32.43/mm/hugetlb.c 2011-07-13 17:23:19.000000000 -0400
67024 @@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
67028 +#ifdef CONFIG_PAX_SEGMEXEC
67029 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
67031 + struct mm_struct *mm = vma->vm_mm;
67032 + struct vm_area_struct *vma_m;
67033 + unsigned long address_m;
67036 + vma_m = pax_find_mirror_vma(vma);
67040 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67041 + address_m = address + SEGMEXEC_TASK_SIZE;
67042 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
67043 + get_page(page_m);
67044 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
67048 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
67049 unsigned long address, pte_t *ptep, pte_t pte,
67050 struct page *pagecache_page)
67051 @@ -2004,6 +2024,11 @@ retry_avoidcopy:
67052 huge_ptep_clear_flush(vma, address, ptep);
67053 set_huge_pte_at(mm, address, ptep,
67054 make_huge_pte(vma, new_page, 1));
67056 +#ifdef CONFIG_PAX_SEGMEXEC
67057 + pax_mirror_huge_pte(vma, address, new_page);
67060 /* Make the old page be freed below */
67061 new_page = old_page;
67063 @@ -2135,6 +2160,10 @@ retry:
67064 && (vma->vm_flags & VM_SHARED)));
67065 set_huge_pte_at(mm, address, ptep, new_pte);
67067 +#ifdef CONFIG_PAX_SEGMEXEC
67068 + pax_mirror_huge_pte(vma, address, page);
67071 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
67072 /* Optimization, do the COW without a second fault */
67073 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
67074 @@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
67075 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
67076 struct hstate *h = hstate_vma(vma);
67078 +#ifdef CONFIG_PAX_SEGMEXEC
67079 + struct vm_area_struct *vma_m;
67081 + vma_m = pax_find_mirror_vma(vma);
67083 + unsigned long address_m;
67085 + if (vma->vm_start > vma_m->vm_start) {
67086 + address_m = address;
67087 + address -= SEGMEXEC_TASK_SIZE;
67089 + h = hstate_vma(vma);
67091 + address_m = address + SEGMEXEC_TASK_SIZE;
67093 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
67094 + return VM_FAULT_OOM;
67095 + address_m &= HPAGE_MASK;
67096 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
67100 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
67102 return VM_FAULT_OOM;
67103 diff -urNp linux-2.6.32.43/mm/internal.h linux-2.6.32.43/mm/internal.h
67104 --- linux-2.6.32.43/mm/internal.h 2011-03-27 14:31:47.000000000 -0400
67105 +++ linux-2.6.32.43/mm/internal.h 2011-07-09 09:13:08.000000000 -0400
67106 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
67107 * in mm/page_alloc.c
67109 extern void __free_pages_bootmem(struct page *page, unsigned int order);
67110 +extern void free_compound_page(struct page *page);
67111 extern void prep_compound_page(struct page *page, unsigned long order);
67114 diff -urNp linux-2.6.32.43/mm/Kconfig linux-2.6.32.43/mm/Kconfig
67115 --- linux-2.6.32.43/mm/Kconfig 2011-03-27 14:31:47.000000000 -0400
67116 +++ linux-2.6.32.43/mm/Kconfig 2011-04-17 15:56:46.000000000 -0400
67117 @@ -228,7 +228,7 @@ config KSM
67118 config DEFAULT_MMAP_MIN_ADDR
67119 int "Low address space to protect from user allocation"
67124 This is the portion of low virtual memory which should be protected
67125 from userspace allocation. Keeping a user from writing to low pages
67126 diff -urNp linux-2.6.32.43/mm/kmemleak.c linux-2.6.32.43/mm/kmemleak.c
67127 --- linux-2.6.32.43/mm/kmemleak.c 2011-06-25 12:55:35.000000000 -0400
67128 +++ linux-2.6.32.43/mm/kmemleak.c 2011-06-25 12:56:37.000000000 -0400
67129 @@ -358,7 +358,7 @@ static void print_unreferenced(struct se
67131 for (i = 0; i < object->trace_len; i++) {
67132 void *ptr = (void *)object->trace[i];
67133 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
67134 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
67138 diff -urNp linux-2.6.32.43/mm/maccess.c linux-2.6.32.43/mm/maccess.c
67139 --- linux-2.6.32.43/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400
67140 +++ linux-2.6.32.43/mm/maccess.c 2011-04-17 15:56:46.000000000 -0400
67142 * Safely read from address @src to the buffer at @dst. If a kernel fault
67143 * happens, handle that and return -EFAULT.
67145 -long probe_kernel_read(void *dst, void *src, size_t size)
67146 +long probe_kernel_read(void *dst, const void *src, size_t size)
67149 mm_segment_t old_fs = get_fs();
67150 @@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
67151 * Safely write to address @dst from the buffer at @src. If a kernel fault
67152 * happens, handle that and return -EFAULT.
67154 -long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
67155 +long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
67158 mm_segment_t old_fs = get_fs();
67159 diff -urNp linux-2.6.32.43/mm/madvise.c linux-2.6.32.43/mm/madvise.c
67160 --- linux-2.6.32.43/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400
67161 +++ linux-2.6.32.43/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400
67162 @@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
67164 unsigned long new_flags = vma->vm_flags;
67166 +#ifdef CONFIG_PAX_SEGMEXEC
67167 + struct vm_area_struct *vma_m;
67170 switch (behavior) {
67172 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
67173 @@ -103,6 +107,13 @@ success:
67175 * vm_flags is protected by the mmap_sem held in write mode.
67178 +#ifdef CONFIG_PAX_SEGMEXEC
67179 + vma_m = pax_find_mirror_vma(vma);
67181 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
67184 vma->vm_flags = new_flags;
67187 @@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
67188 struct vm_area_struct ** prev,
67189 unsigned long start, unsigned long end)
67192 +#ifdef CONFIG_PAX_SEGMEXEC
67193 + struct vm_area_struct *vma_m;
67197 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
67199 @@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
67200 zap_page_range(vma, start, end - start, &details);
67202 zap_page_range(vma, start, end - start, NULL);
67204 +#ifdef CONFIG_PAX_SEGMEXEC
67205 + vma_m = pax_find_mirror_vma(vma);
67207 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
67208 + struct zap_details details = {
67209 + .nonlinear_vma = vma_m,
67210 + .last_index = ULONG_MAX,
67212 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
67214 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
67221 @@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
67225 +#ifdef CONFIG_PAX_SEGMEXEC
67226 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
67227 + if (end > SEGMEXEC_TASK_SIZE)
67232 + if (end > TASK_SIZE)
67238 diff -urNp linux-2.6.32.43/mm/memory.c linux-2.6.32.43/mm/memory.c
67239 --- linux-2.6.32.43/mm/memory.c 2011-07-13 17:23:04.000000000 -0400
67240 +++ linux-2.6.32.43/mm/memory.c 2011-07-13 17:23:23.000000000 -0400
67241 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
67244 pmd = pmd_offset(pud, start);
67246 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
67248 pmd_free_tlb(tlb, pmd, start);
67253 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
67254 @@ -219,9 +223,12 @@ static inline void free_pud_range(struct
67255 if (end - 1 > ceiling - 1)
67258 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
67259 pud = pud_offset(pgd, start);
67261 pud_free_tlb(tlb, pud, start);
67267 @@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
67268 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
67272 + while (nr_pages) {
67273 struct vm_area_struct *vma;
67275 - vma = find_extend_vma(mm, start);
67276 + vma = find_vma(mm, start);
67277 if (!vma && in_gate_area(tsk, start)) {
67278 unsigned long pg = start & PAGE_MASK;
67279 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
67280 @@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
67285 + if (!vma || start < vma->vm_start ||
67286 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
67287 !(vm_flags & vma->vm_flags))
67288 return i ? : -EFAULT;
67289 @@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
67290 start += PAGE_SIZE;
67292 } while (nr_pages && start < vma->vm_end);
67293 - } while (nr_pages);
67298 @@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
67299 page_add_file_rmap(page);
67300 set_pte_at(mm, addr, pte, mk_pte(page, prot));
67302 +#ifdef CONFIG_PAX_SEGMEXEC
67303 + pax_mirror_file_pte(vma, addr, page, ptl);
67307 pte_unmap_unlock(pte, ptl);
67309 @@ -1560,10 +1571,22 @@ out:
67310 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
67314 +#ifdef CONFIG_PAX_SEGMEXEC
67315 + struct vm_area_struct *vma_m;
67318 if (addr < vma->vm_start || addr >= vma->vm_end)
67320 if (!page_count(page))
67323 +#ifdef CONFIG_PAX_SEGMEXEC
67324 + vma_m = pax_find_mirror_vma(vma);
67326 + vma_m->vm_flags |= VM_INSERTPAGE;
67329 vma->vm_flags |= VM_INSERTPAGE;
67330 return insert_page(vma, addr, page, vma->vm_page_prot);
67332 @@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
67335 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
67336 + BUG_ON(vma->vm_mirror);
67338 if (addr < vma->vm_start || addr >= vma->vm_end)
67340 @@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
67341 copy_user_highpage(dst, src, va, vma);
67344 +#ifdef CONFIG_PAX_SEGMEXEC
67345 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
67347 + struct mm_struct *mm = vma->vm_mm;
67349 + pte_t *pte, entry;
67351 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
67353 + if (!pte_present(entry)) {
67354 + if (!pte_none(entry)) {
67355 + BUG_ON(pte_file(entry));
67356 + free_swap_and_cache(pte_to_swp_entry(entry));
67357 + pte_clear_not_present_full(mm, address, pte, 0);
67360 + struct page *page;
67362 + flush_cache_page(vma, address, pte_pfn(entry));
67363 + entry = ptep_clear_flush(vma, address, pte);
67364 + BUG_ON(pte_dirty(entry));
67365 + page = vm_normal_page(vma, address, entry);
67367 + update_hiwater_rss(mm);
67368 + if (PageAnon(page))
67369 + dec_mm_counter(mm, anon_rss);
67371 + dec_mm_counter(mm, file_rss);
67372 + page_remove_rmap(page);
67373 + page_cache_release(page);
67376 + pte_unmap_unlock(pte, ptl);
67379 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
67381 + * the ptl of the lower mapped page is held on entry and is not released on exit
67382 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
67384 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67386 + struct mm_struct *mm = vma->vm_mm;
67387 + unsigned long address_m;
67388 + spinlock_t *ptl_m;
67389 + struct vm_area_struct *vma_m;
67391 + pte_t *pte_m, entry_m;
67393 + BUG_ON(!page_m || !PageAnon(page_m));
67395 + vma_m = pax_find_mirror_vma(vma);
67399 + BUG_ON(!PageLocked(page_m));
67400 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67401 + address_m = address + SEGMEXEC_TASK_SIZE;
67402 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67403 + pte_m = pte_offset_map_nested(pmd_m, address_m);
67404 + ptl_m = pte_lockptr(mm, pmd_m);
67405 + if (ptl != ptl_m) {
67406 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67407 + if (!pte_none(*pte_m))
67411 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67412 + page_cache_get(page_m);
67413 + page_add_anon_rmap(page_m, vma_m, address_m);
67414 + inc_mm_counter(mm, anon_rss);
67415 + set_pte_at(mm, address_m, pte_m, entry_m);
67416 + update_mmu_cache(vma_m, address_m, entry_m);
67418 + if (ptl != ptl_m)
67419 + spin_unlock(ptl_m);
67420 + pte_unmap_nested(pte_m);
67421 + unlock_page(page_m);
67424 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
67426 + struct mm_struct *mm = vma->vm_mm;
67427 + unsigned long address_m;
67428 + spinlock_t *ptl_m;
67429 + struct vm_area_struct *vma_m;
67431 + pte_t *pte_m, entry_m;
67433 + BUG_ON(!page_m || PageAnon(page_m));
67435 + vma_m = pax_find_mirror_vma(vma);
67439 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67440 + address_m = address + SEGMEXEC_TASK_SIZE;
67441 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67442 + pte_m = pte_offset_map_nested(pmd_m, address_m);
67443 + ptl_m = pte_lockptr(mm, pmd_m);
67444 + if (ptl != ptl_m) {
67445 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67446 + if (!pte_none(*pte_m))
67450 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
67451 + page_cache_get(page_m);
67452 + page_add_file_rmap(page_m);
67453 + inc_mm_counter(mm, file_rss);
67454 + set_pte_at(mm, address_m, pte_m, entry_m);
67455 + update_mmu_cache(vma_m, address_m, entry_m);
67457 + if (ptl != ptl_m)
67458 + spin_unlock(ptl_m);
67459 + pte_unmap_nested(pte_m);
67462 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
67464 + struct mm_struct *mm = vma->vm_mm;
67465 + unsigned long address_m;
67466 + spinlock_t *ptl_m;
67467 + struct vm_area_struct *vma_m;
67469 + pte_t *pte_m, entry_m;
67471 + vma_m = pax_find_mirror_vma(vma);
67475 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
67476 + address_m = address + SEGMEXEC_TASK_SIZE;
67477 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
67478 + pte_m = pte_offset_map_nested(pmd_m, address_m);
67479 + ptl_m = pte_lockptr(mm, pmd_m);
67480 + if (ptl != ptl_m) {
67481 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
67482 + if (!pte_none(*pte_m))
67486 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
67487 + set_pte_at(mm, address_m, pte_m, entry_m);
67489 + if (ptl != ptl_m)
67490 + spin_unlock(ptl_m);
67491 + pte_unmap_nested(pte_m);
67494 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
67496 + struct page *page_m;
67499 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
67503 + page_m = vm_normal_page(vma, address, entry);
67505 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
67506 + else if (PageAnon(page_m)) {
67507 + if (pax_find_mirror_vma(vma)) {
67508 + pte_unmap_unlock(pte, ptl);
67509 + lock_page(page_m);
67510 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
67511 + if (pte_same(entry, *pte))
67512 + pax_mirror_anon_pte(vma, address, page_m, ptl);
67514 + unlock_page(page_m);
67517 + pax_mirror_file_pte(vma, address, page_m, ptl);
67520 + pte_unmap_unlock(pte, ptl);
67525 * This routine handles present pages, when users try to write
67526 * to a shared page. It is done by copying the page to a new address
67527 @@ -2156,6 +2360,12 @@ gotten:
67529 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67530 if (likely(pte_same(*page_table, orig_pte))) {
67532 +#ifdef CONFIG_PAX_SEGMEXEC
67533 + if (pax_find_mirror_vma(vma))
67534 + BUG_ON(!trylock_page(new_page));
67538 if (!PageAnon(old_page)) {
67539 dec_mm_counter(mm, file_rss);
67540 @@ -2207,6 +2417,10 @@ gotten:
67541 page_remove_rmap(old_page);
67544 +#ifdef CONFIG_PAX_SEGMEXEC
67545 + pax_mirror_anon_pte(vma, address, new_page, ptl);
67548 /* Free the old page.. */
67549 new_page = old_page;
67550 ret |= VM_FAULT_WRITE;
67551 @@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
67553 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
67554 try_to_free_swap(page);
67556 +#ifdef CONFIG_PAX_SEGMEXEC
67557 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
67562 if (flags & FAULT_FLAG_WRITE) {
67563 @@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
67565 /* No need to invalidate - it was non-present before */
67566 update_mmu_cache(vma, address, pte);
67568 +#ifdef CONFIG_PAX_SEGMEXEC
67569 + pax_mirror_anon_pte(vma, address, page, ptl);
67573 pte_unmap_unlock(page_table, ptl);
67575 @@ -2632,40 +2856,6 @@ out_release:
67579 - * This is like a special single-page "expand_{down|up}wards()",
67580 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
67581 - * doesn't hit another vma.
67583 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
67585 - address &= PAGE_MASK;
67586 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
67587 - struct vm_area_struct *prev = vma->vm_prev;
67590 - * Is there a mapping abutting this one below?
67592 - * That's only ok if it's the same stack mapping
67593 - * that has gotten split..
67595 - if (prev && prev->vm_end == address)
67596 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
67598 - expand_stack(vma, address - PAGE_SIZE);
67600 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
67601 - struct vm_area_struct *next = vma->vm_next;
67603 - /* As VM_GROWSDOWN but s/below/above/ */
67604 - if (next && next->vm_start == address + PAGE_SIZE)
67605 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
67607 - expand_upwards(vma, address + PAGE_SIZE);
67613 * We enter with non-exclusive mmap_sem (to exclude vma changes,
67614 * but allow concurrent faults), and pte mapped but not yet locked.
67615 * We return with mmap_sem still held, but pte unmapped and unlocked.
67616 @@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
67617 unsigned long address, pte_t *page_table, pmd_t *pmd,
67618 unsigned int flags)
67620 - struct page *page;
67621 + struct page *page = NULL;
67625 - pte_unmap(page_table);
67627 - /* Check if we need to add a guard page to the stack */
67628 - if (check_stack_guard_page(vma, address) < 0)
67629 - return VM_FAULT_SIGBUS;
67631 - /* Use the zero-page for reads */
67632 if (!(flags & FAULT_FLAG_WRITE)) {
67633 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
67634 vma->vm_page_prot));
67635 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
67636 + ptl = pte_lockptr(mm, pmd);
67638 if (!pte_none(*page_table))
67643 /* Allocate our own private page. */
67644 + pte_unmap(page_table);
67646 if (unlikely(anon_vma_prepare(vma)))
67648 page = alloc_zeroed_user_highpage_movable(vma, address);
67649 @@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
67650 if (!pte_none(*page_table))
67653 +#ifdef CONFIG_PAX_SEGMEXEC
67654 + if (pax_find_mirror_vma(vma))
67655 + BUG_ON(!trylock_page(page));
67658 inc_mm_counter(mm, anon_rss);
67659 page_add_new_anon_rmap(page, vma, address);
67661 @@ -2720,6 +2911,12 @@ setpte:
67663 /* No need to invalidate - it was non-present before */
67664 update_mmu_cache(vma, address, entry);
67666 +#ifdef CONFIG_PAX_SEGMEXEC
67668 + pax_mirror_anon_pte(vma, address, page, ptl);
67672 pte_unmap_unlock(page_table, ptl);
67674 @@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
67676 /* Only go through if we didn't race with anybody else... */
67677 if (likely(pte_same(*page_table, orig_pte))) {
67679 +#ifdef CONFIG_PAX_SEGMEXEC
67680 + if (anon && pax_find_mirror_vma(vma))
67681 + BUG_ON(!trylock_page(page));
67684 flush_icache_page(vma, page);
67685 entry = mk_pte(page, vma->vm_page_prot);
67686 if (flags & FAULT_FLAG_WRITE)
67687 @@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
67689 /* no need to invalidate: a not-present page won't be cached */
67690 update_mmu_cache(vma, address, entry);
67692 +#ifdef CONFIG_PAX_SEGMEXEC
67694 + pax_mirror_anon_pte(vma, address, page, ptl);
67696 + pax_mirror_file_pte(vma, address, page, ptl);
67701 mem_cgroup_uncharge_page(page);
67702 @@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
67703 if (flags & FAULT_FLAG_WRITE)
67704 flush_tlb_page(vma, address);
67707 +#ifdef CONFIG_PAX_SEGMEXEC
67708 + pax_mirror_pte(vma, address, pte, pmd, ptl);
67713 pte_unmap_unlock(pte, ptl);
67715 @@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
67719 +#ifdef CONFIG_PAX_SEGMEXEC
67720 + struct vm_area_struct *vma_m;
67723 __set_current_state(TASK_RUNNING);
67725 count_vm_event(PGFAULT);
67726 @@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
67727 if (unlikely(is_vm_hugetlb_page(vma)))
67728 return hugetlb_fault(mm, vma, address, flags);
67730 +#ifdef CONFIG_PAX_SEGMEXEC
67731 + vma_m = pax_find_mirror_vma(vma);
67733 + unsigned long address_m;
67738 + if (vma->vm_start > vma_m->vm_start) {
67739 + address_m = address;
67740 + address -= SEGMEXEC_TASK_SIZE;
67743 + address_m = address + SEGMEXEC_TASK_SIZE;
67745 + pgd_m = pgd_offset(mm, address_m);
67746 + pud_m = pud_alloc(mm, pgd_m, address_m);
67748 + return VM_FAULT_OOM;
67749 + pmd_m = pmd_alloc(mm, pud_m, address_m);
67751 + return VM_FAULT_OOM;
67752 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
67753 + return VM_FAULT_OOM;
67754 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
67758 pgd = pgd_offset(mm, address);
67759 pud = pud_alloc(mm, pgd, address);
67761 @@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
67762 gate_vma.vm_start = FIXADDR_USER_START;
67763 gate_vma.vm_end = FIXADDR_USER_END;
67764 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
67765 - gate_vma.vm_page_prot = __P101;
67766 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
67768 * Make sure the vDSO gets into every core dump.
67769 * Dumping its contents makes post-mortem fully interpretable later
67770 diff -urNp linux-2.6.32.43/mm/memory-failure.c linux-2.6.32.43/mm/memory-failure.c
67771 --- linux-2.6.32.43/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400
67772 +++ linux-2.6.32.43/mm/memory-failure.c 2011-04-17 15:56:46.000000000 -0400
67773 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
67775 int sysctl_memory_failure_recovery __read_mostly = 1;
67777 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
67778 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
67781 * Send all the processes who have the page mapped an ``action optional''
67782 @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
67786 - atomic_long_add(1, &mce_bad_pages);
67787 + atomic_long_add_unchecked(1, &mce_bad_pages);
67790 * We need/can do nothing about count=0 pages.
67791 diff -urNp linux-2.6.32.43/mm/mempolicy.c linux-2.6.32.43/mm/mempolicy.c
67792 --- linux-2.6.32.43/mm/mempolicy.c 2011-03-27 14:31:47.000000000 -0400
67793 +++ linux-2.6.32.43/mm/mempolicy.c 2011-04-17 15:56:46.000000000 -0400
67794 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
67795 struct vm_area_struct *next;
67798 +#ifdef CONFIG_PAX_SEGMEXEC
67799 + struct vm_area_struct *vma_m;
67803 for (; vma && vma->vm_start < end; vma = next) {
67804 next = vma->vm_next;
67805 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
67806 err = policy_vma(vma, new);
67810 +#ifdef CONFIG_PAX_SEGMEXEC
67811 + vma_m = pax_find_mirror_vma(vma);
67813 + err = policy_vma(vma_m, new);
67822 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
67827 +#ifdef CONFIG_PAX_SEGMEXEC
67828 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
67829 + if (end > SEGMEXEC_TASK_SIZE)
67834 + if (end > TASK_SIZE)
67840 @@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
67844 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67845 + if (mm != current->mm &&
67846 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
67853 * Check if this process has the right to modify the specified
67854 * process. The right exists if the process has administrative
67855 @@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
67857 tcred = __task_cred(task);
67858 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
67859 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
67860 - !capable(CAP_SYS_NICE)) {
67861 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
67865 @@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
67868 seq_printf(m, " file=");
67869 - seq_path(m, &file->f_path, "\n\t= ");
67870 + seq_path(m, &file->f_path, "\n\t\\= ");
67871 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
67872 seq_printf(m, " heap");
67873 } else if (vma->vm_start <= mm->start_stack &&
67874 diff -urNp linux-2.6.32.43/mm/migrate.c linux-2.6.32.43/mm/migrate.c
67875 --- linux-2.6.32.43/mm/migrate.c 2011-07-13 17:23:04.000000000 -0400
67876 +++ linux-2.6.32.43/mm/migrate.c 2011-07-13 17:23:23.000000000 -0400
67877 @@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
67878 unsigned long chunk_start;
67881 + pax_track_stack();
67883 task_nodes = cpuset_mems_allowed(task);
67886 @@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
67890 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
67891 + if (mm != current->mm &&
67892 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
67899 * Check if this process has the right to modify the specified
67900 * process. The right exists if the process has administrative
67901 @@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
67903 tcred = __task_cred(task);
67904 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
67905 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
67906 - !capable(CAP_SYS_NICE)) {
67907 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
67911 diff -urNp linux-2.6.32.43/mm/mlock.c linux-2.6.32.43/mm/mlock.c
67912 --- linux-2.6.32.43/mm/mlock.c 2011-03-27 14:31:47.000000000 -0400
67913 +++ linux-2.6.32.43/mm/mlock.c 2011-04-17 15:56:46.000000000 -0400
67915 #include <linux/pagemap.h>
67916 #include <linux/mempolicy.h>
67917 #include <linux/syscalls.h>
67918 +#include <linux/security.h>
67919 #include <linux/sched.h>
67920 #include <linux/module.h>
67921 #include <linux/rmap.h>
67922 @@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
67926 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
67928 - return (vma->vm_flags & VM_GROWSDOWN) &&
67929 - (vma->vm_start == addr) &&
67930 - !vma_stack_continue(vma->vm_prev, addr);
67934 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
67936 @@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
67937 if (vma->vm_flags & VM_WRITE)
67938 gup_flags |= FOLL_WRITE;
67940 - /* We don't try to access the guard page of a stack vma */
67941 - if (stack_guard_page(vma, start)) {
67942 - addr += PAGE_SIZE;
67946 while (nr_pages > 0) {
67949 @@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
67951 unsigned long nstart, end, tmp;
67952 struct vm_area_struct * vma, * prev;
67954 + int error = -EINVAL;
67956 len = PAGE_ALIGN(len);
67958 @@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
67962 + if (end > TASK_SIZE)
67965 vma = find_vma_prev(current->mm, start, &prev);
67966 if (!vma || vma->vm_start > start)
67968 @@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
67969 for (nstart = start ; ; ) {
67970 unsigned int newflags;
67972 +#ifdef CONFIG_PAX_SEGMEXEC
67973 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
67977 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
67979 newflags = vma->vm_flags | VM_LOCKED;
67980 @@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
67981 lock_limit >>= PAGE_SHIFT;
67983 /* check against resource limits */
67984 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
67985 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
67986 error = do_mlock(start, len, 1);
67987 up_write(¤t->mm->mmap_sem);
67988 @@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
67989 static int do_mlockall(int flags)
67991 struct vm_area_struct * vma, * prev = NULL;
67992 - unsigned int def_flags = 0;
67994 if (flags & MCL_FUTURE)
67995 - def_flags = VM_LOCKED;
67996 - current->mm->def_flags = def_flags;
67997 + current->mm->def_flags |= VM_LOCKED;
67999 + current->mm->def_flags &= ~VM_LOCKED;
68000 if (flags == MCL_FUTURE)
68003 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
68004 - unsigned int newflags;
68005 + unsigned long newflags;
68007 +#ifdef CONFIG_PAX_SEGMEXEC
68008 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
68012 + BUG_ON(vma->vm_end > TASK_SIZE);
68013 newflags = vma->vm_flags | VM_LOCKED;
68014 if (!(flags & MCL_CURRENT))
68015 newflags &= ~VM_LOCKED;
68016 @@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
68017 lock_limit >>= PAGE_SHIFT;
68020 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
68021 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
68022 capable(CAP_IPC_LOCK))
68023 ret = do_mlockall(flags);
68024 diff -urNp linux-2.6.32.43/mm/mmap.c linux-2.6.32.43/mm/mmap.c
68025 --- linux-2.6.32.43/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
68026 +++ linux-2.6.32.43/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
68028 #define arch_rebalance_pgtables(addr, len) (addr)
68031 +static inline void verify_mm_writelocked(struct mm_struct *mm)
68033 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
68034 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
68035 + up_read(&mm->mmap_sem);
68041 static void unmap_region(struct mm_struct *mm,
68042 struct vm_area_struct *vma, struct vm_area_struct *prev,
68043 unsigned long start, unsigned long end);
68044 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
68045 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
68048 -pgprot_t protection_map[16] = {
68049 +pgprot_t protection_map[16] __read_only = {
68050 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
68051 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
68054 pgprot_t vm_get_page_prot(unsigned long vm_flags)
68056 - return __pgprot(pgprot_val(protection_map[vm_flags &
68057 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
68058 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
68059 pgprot_val(arch_vm_get_page_prot(vm_flags)));
68061 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68062 + if (!nx_enabled &&
68063 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
68064 + (vm_flags & (VM_READ | VM_WRITE)))
68065 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
68070 EXPORT_SYMBOL(vm_get_page_prot);
68072 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
68073 int sysctl_overcommit_ratio = 50; /* default is 50% */
68074 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
68075 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
68076 struct percpu_counter vm_committed_as;
68079 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
68080 struct vm_area_struct *next = vma->vm_next;
68083 + BUG_ON(vma->vm_mirror);
68084 if (vma->vm_ops && vma->vm_ops->close)
68085 vma->vm_ops->close(vma);
68086 if (vma->vm_file) {
68087 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
68088 * not page aligned -Ram Gupta
68090 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
68091 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
68092 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
68093 (mm->end_data - mm->start_data) > rlim)
68095 @@ -704,6 +726,12 @@ static int
68096 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
68097 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68100 +#ifdef CONFIG_PAX_SEGMEXEC
68101 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
68105 if (is_mergeable_vma(vma, file, vm_flags) &&
68106 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68107 if (vma->vm_pgoff == vm_pgoff)
68108 @@ -723,6 +751,12 @@ static int
68109 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
68110 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
68113 +#ifdef CONFIG_PAX_SEGMEXEC
68114 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
68118 if (is_mergeable_vma(vma, file, vm_flags) &&
68119 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
68121 @@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
68122 struct vm_area_struct *vma_merge(struct mm_struct *mm,
68123 struct vm_area_struct *prev, unsigned long addr,
68124 unsigned long end, unsigned long vm_flags,
68125 - struct anon_vma *anon_vma, struct file *file,
68126 + struct anon_vma *anon_vma, struct file *file,
68127 pgoff_t pgoff, struct mempolicy *policy)
68129 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
68130 struct vm_area_struct *area, *next;
68132 +#ifdef CONFIG_PAX_SEGMEXEC
68133 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
68134 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
68136 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
68140 * We later require that vma->vm_flags == vm_flags,
68141 * so this tests vma->vm_flags & VM_SPECIAL, too.
68142 @@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
68143 if (next && next->vm_end == end) /* cases 6, 7, 8 */
68144 next = next->vm_next;
68146 +#ifdef CONFIG_PAX_SEGMEXEC
68148 + prev_m = pax_find_mirror_vma(prev);
68150 + area_m = pax_find_mirror_vma(area);
68152 + next_m = pax_find_mirror_vma(next);
68156 * Can it merge with the predecessor?
68158 @@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
68160 vma_adjust(prev, prev->vm_start,
68161 next->vm_end, prev->vm_pgoff, NULL);
68162 - } else /* cases 2, 5, 7 */
68164 +#ifdef CONFIG_PAX_SEGMEXEC
68166 + vma_adjust(prev_m, prev_m->vm_start,
68167 + next_m->vm_end, prev_m->vm_pgoff, NULL);
68170 + } else { /* cases 2, 5, 7 */
68171 vma_adjust(prev, prev->vm_start,
68172 end, prev->vm_pgoff, NULL);
68174 +#ifdef CONFIG_PAX_SEGMEXEC
68176 + vma_adjust(prev_m, prev_m->vm_start,
68177 + end_m, prev_m->vm_pgoff, NULL);
68184 @@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
68185 mpol_equal(policy, vma_policy(next)) &&
68186 can_vma_merge_before(next, vm_flags,
68187 anon_vma, file, pgoff+pglen)) {
68188 - if (prev && addr < prev->vm_end) /* case 4 */
68189 + if (prev && addr < prev->vm_end) { /* case 4 */
68190 vma_adjust(prev, prev->vm_start,
68191 addr, prev->vm_pgoff, NULL);
68192 - else /* cases 3, 8 */
68194 +#ifdef CONFIG_PAX_SEGMEXEC
68196 + vma_adjust(prev_m, prev_m->vm_start,
68197 + addr_m, prev_m->vm_pgoff, NULL);
68200 + } else { /* cases 3, 8 */
68201 vma_adjust(area, addr, next->vm_end,
68202 next->vm_pgoff - pglen, NULL);
68204 +#ifdef CONFIG_PAX_SEGMEXEC
68206 + vma_adjust(area_m, addr_m, next_m->vm_end,
68207 + next_m->vm_pgoff - pglen, NULL);
68214 @@ -898,14 +978,11 @@ none:
68215 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
68216 struct file *file, long pages)
68218 - const unsigned long stack_flags
68219 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
68222 mm->shared_vm += pages;
68223 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
68224 mm->exec_vm += pages;
68225 - } else if (flags & stack_flags)
68226 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
68227 mm->stack_vm += pages;
68228 if (flags & (VM_RESERVED|VM_IO))
68229 mm->reserved_vm += pages;
68230 @@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
68231 * (the exception is when the underlying filesystem is noexec
68232 * mounted, in which case we dont add PROT_EXEC.)
68234 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
68235 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
68236 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
68239 @@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
68240 /* Obtain the address to map to. we verify (or select) it and ensure
68241 * that it represents a valid section of the address space.
68243 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
68244 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
68245 if (addr & ~PAGE_MASK)
68248 @@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
68249 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
68250 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
68252 +#ifdef CONFIG_PAX_MPROTECT
68253 + if (mm->pax_flags & MF_PAX_MPROTECT) {
68254 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
68255 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
68256 + gr_log_rwxmmap(file);
68258 +#ifdef CONFIG_PAX_EMUPLT
68259 + vm_flags &= ~VM_EXEC;
68266 + if (!(vm_flags & VM_EXEC))
68267 + vm_flags &= ~VM_MAYEXEC;
68269 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
68270 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
68273 + vm_flags &= ~VM_MAYWRITE;
68277 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68278 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
68279 + vm_flags &= ~VM_PAGEEXEC;
68282 if (flags & MAP_LOCKED)
68283 if (!can_do_mlock())
68285 @@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
68286 locked += mm->locked_vm;
68287 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
68288 lock_limit >>= PAGE_SHIFT;
68289 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68290 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
68293 @@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
68297 + if (!gr_acl_handle_mmap(file, prot))
68300 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
68302 EXPORT_SYMBOL(do_mmap_pgoff);
68303 @@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
68305 int vma_wants_writenotify(struct vm_area_struct *vma)
68307 - unsigned int vm_flags = vma->vm_flags;
68308 + unsigned long vm_flags = vma->vm_flags;
68310 /* If it was private or non-writable, the write bit is already clear */
68311 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
68312 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
68315 /* The backer wishes to know when pages are first written to? */
68316 @@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
68317 unsigned long charged = 0;
68318 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
68320 +#ifdef CONFIG_PAX_SEGMEXEC
68321 + struct vm_area_struct *vma_m = NULL;
68325 + * mm->mmap_sem is required to protect against another thread
68326 + * changing the mappings in case we sleep.
68328 + verify_mm_writelocked(mm);
68330 /* Clear old maps */
68333 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68334 if (vma && vma->vm_start < addr + len) {
68335 if (do_munmap(mm, addr, len))
68337 - goto munmap_back;
68338 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
68339 + BUG_ON(vma && vma->vm_start < addr + len);
68342 /* Check against address space limit. */
68343 @@ -1173,6 +1294,16 @@ munmap_back:
68347 +#ifdef CONFIG_PAX_SEGMEXEC
68348 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
68349 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
68358 vma->vm_start = addr;
68359 vma->vm_end = addr + len;
68360 @@ -1195,6 +1326,19 @@ munmap_back:
68361 error = file->f_op->mmap(file, vma);
68363 goto unmap_and_free_vma;
68365 +#ifdef CONFIG_PAX_SEGMEXEC
68366 + if (vma_m && (vm_flags & VM_EXECUTABLE))
68367 + added_exe_file_vma(mm);
68370 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
68371 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
68372 + vma->vm_flags |= VM_PAGEEXEC;
68373 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
68377 if (vm_flags & VM_EXECUTABLE)
68378 added_exe_file_vma(mm);
68380 @@ -1218,6 +1362,11 @@ munmap_back:
68381 vma_link(mm, vma, prev, rb_link, rb_parent);
68382 file = vma->vm_file;
68384 +#ifdef CONFIG_PAX_SEGMEXEC
68386 + pax_mirror_vma(vma_m, vma);
68389 /* Once vma denies write, undo our temporary denial count */
68390 if (correct_wcount)
68391 atomic_inc(&inode->i_writecount);
68392 @@ -1226,6 +1375,7 @@ out:
68394 mm->total_vm += len >> PAGE_SHIFT;
68395 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
68396 + track_exec_limit(mm, addr, addr + len, vm_flags);
68397 if (vm_flags & VM_LOCKED) {
68399 * makes pages present; downgrades, drops, reacquires mmap_sem
68400 @@ -1248,6 +1398,12 @@ unmap_and_free_vma:
68401 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
68405 +#ifdef CONFIG_PAX_SEGMEXEC
68407 + kmem_cache_free(vm_area_cachep, vma_m);
68410 kmem_cache_free(vm_area_cachep, vma);
68413 @@ -1255,6 +1411,44 @@ unacct_error:
68417 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
68420 +#ifdef CONFIG_STACK_GROWSUP
68421 + if (addr > sysctl_heap_stack_gap)
68422 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
68424 + vma = find_vma(current->mm, 0);
68425 + if (vma && (vma->vm_flags & VM_GROWSUP))
68431 + if (addr + len > vma->vm_start)
68434 + if (vma->vm_flags & VM_GROWSDOWN)
68435 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
68436 +#ifdef CONFIG_STACK_GROWSUP
68437 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
68438 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
68444 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
68446 + if (vma->vm_start < len)
68448 + if (!(vma->vm_flags & VM_GROWSDOWN))
68449 + return vma->vm_start - len;
68450 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
68451 + return vma->vm_start - len - sysctl_heap_stack_gap;
68455 /* Get an address range which is currently unmapped.
68456 * For shmat() with addr=0.
68458 @@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
68459 if (flags & MAP_FIXED)
68462 +#ifdef CONFIG_PAX_RANDMMAP
68463 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68467 addr = PAGE_ALIGN(addr);
68468 - vma = find_vma(mm, addr);
68469 - if (TASK_SIZE - len >= addr &&
68470 - (!vma || addr + len <= vma->vm_start))
68472 + if (TASK_SIZE - len >= addr) {
68473 + vma = find_vma(mm, addr);
68474 + if (check_heap_stack_gap(vma, addr, len))
68478 if (len > mm->cached_hole_size) {
68479 - start_addr = addr = mm->free_area_cache;
68480 + start_addr = addr = mm->free_area_cache;
68482 - start_addr = addr = TASK_UNMAPPED_BASE;
68483 - mm->cached_hole_size = 0;
68484 + start_addr = addr = mm->mmap_base;
68485 + mm->cached_hole_size = 0;
68489 @@ -1303,34 +1502,40 @@ full_search:
68490 * Start a new search - just in case we missed
68493 - if (start_addr != TASK_UNMAPPED_BASE) {
68494 - addr = TASK_UNMAPPED_BASE;
68495 - start_addr = addr;
68496 + if (start_addr != mm->mmap_base) {
68497 + start_addr = addr = mm->mmap_base;
68498 mm->cached_hole_size = 0;
68503 - if (!vma || addr + len <= vma->vm_start) {
68505 - * Remember the place where we stopped the search:
68507 - mm->free_area_cache = addr + len;
68510 + if (check_heap_stack_gap(vma, addr, len))
68512 if (addr + mm->cached_hole_size < vma->vm_start)
68513 mm->cached_hole_size = vma->vm_start - addr;
68514 addr = vma->vm_end;
68518 + * Remember the place where we stopped the search:
68520 + mm->free_area_cache = addr + len;
68525 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
68528 +#ifdef CONFIG_PAX_SEGMEXEC
68529 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68534 * Is this a new hole at the lowest possible address?
68536 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
68537 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
68538 mm->free_area_cache = addr;
68539 mm->cached_hole_size = ~0UL;
68541 @@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
68543 struct vm_area_struct *vma;
68544 struct mm_struct *mm = current->mm;
68545 - unsigned long addr = addr0;
68546 + unsigned long base = mm->mmap_base, addr = addr0;
68548 /* requested length too big for entire address space */
68549 if (len > TASK_SIZE)
68550 @@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
68551 if (flags & MAP_FIXED)
68554 +#ifdef CONFIG_PAX_RANDMMAP
68555 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
68558 /* requesting a specific address */
68560 addr = PAGE_ALIGN(addr);
68561 - vma = find_vma(mm, addr);
68562 - if (TASK_SIZE - len >= addr &&
68563 - (!vma || addr + len <= vma->vm_start))
68565 + if (TASK_SIZE - len >= addr) {
68566 + vma = find_vma(mm, addr);
68567 + if (check_heap_stack_gap(vma, addr, len))
68572 /* check if free_area_cache is useful for us */
68573 @@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
68574 /* make sure it can fit in the remaining address space */
68576 vma = find_vma(mm, addr-len);
68577 - if (!vma || addr <= vma->vm_start)
68578 + if (check_heap_stack_gap(vma, addr - len, len))
68579 /* remember the address as a hint for next time */
68580 return (mm->free_area_cache = addr-len);
68582 @@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
68583 * return with success:
68585 vma = find_vma(mm, addr);
68586 - if (!vma || addr+len <= vma->vm_start)
68587 + if (check_heap_stack_gap(vma, addr, len))
68588 /* remember the address as a hint for next time */
68589 return (mm->free_area_cache = addr);
68591 @@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
68592 mm->cached_hole_size = vma->vm_start - addr;
68594 /* try just below the current vma->vm_start */
68595 - addr = vma->vm_start-len;
68596 - } while (len < vma->vm_start);
68597 + addr = skip_heap_stack_gap(vma, len);
68598 + } while (!IS_ERR_VALUE(addr));
68602 @@ -1414,13 +1624,21 @@ bottomup:
68603 * can happen with large stack limits and large mmap()
68606 + mm->mmap_base = TASK_UNMAPPED_BASE;
68608 +#ifdef CONFIG_PAX_RANDMMAP
68609 + if (mm->pax_flags & MF_PAX_RANDMMAP)
68610 + mm->mmap_base += mm->delta_mmap;
68613 + mm->free_area_cache = mm->mmap_base;
68614 mm->cached_hole_size = ~0UL;
68615 - mm->free_area_cache = TASK_UNMAPPED_BASE;
68616 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
68618 * Restore the topdown base:
68620 - mm->free_area_cache = mm->mmap_base;
68621 + mm->mmap_base = base;
68622 + mm->free_area_cache = base;
68623 mm->cached_hole_size = ~0UL;
68626 @@ -1429,6 +1647,12 @@ bottomup:
68628 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
68631 +#ifdef CONFIG_PAX_SEGMEXEC
68632 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
68637 * Is this a new hole at the highest possible address?
68639 @@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
68640 mm->free_area_cache = addr;
68642 /* dont allow allocations above current base */
68643 - if (mm->free_area_cache > mm->mmap_base)
68644 + if (mm->free_area_cache > mm->mmap_base) {
68645 mm->free_area_cache = mm->mmap_base;
68646 + mm->cached_hole_size = ~0UL;
68651 @@ -1545,6 +1771,27 @@ out:
68652 return prev ? prev->vm_next : vma;
68655 +#ifdef CONFIG_PAX_SEGMEXEC
68656 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
68658 + struct vm_area_struct *vma_m;
68660 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
68661 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
68662 + BUG_ON(vma->vm_mirror);
68665 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
68666 + vma_m = vma->vm_mirror;
68667 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
68668 + BUG_ON(vma->vm_file != vma_m->vm_file);
68669 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
68670 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
68671 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
68677 * Verify that the stack growth is acceptable and
68678 * update accounting. This is shared with both the
68679 @@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
68682 /* Stack limit test */
68683 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
68684 if (size > rlim[RLIMIT_STACK].rlim_cur)
68687 @@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
68688 unsigned long limit;
68689 locked = mm->locked_vm + grow;
68690 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
68691 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
68692 if (locked > limit && !capable(CAP_IPC_LOCK))
68695 @@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
68696 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
68697 * vma is the last one with address > vma->vm_end. Have to extend vma.
68699 +#ifndef CONFIG_IA64
68702 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
68707 if (!(vma->vm_flags & VM_GROWSUP))
68710 + /* Also guard against wrapping around to address 0. */
68711 + if (address < PAGE_ALIGN(address+1))
68712 + address = PAGE_ALIGN(address+1);
68717 * We must make sure the anon_vma is allocated
68718 * so that the anon_vma locking is not a noop.
68720 if (unlikely(anon_vma_prepare(vma)))
68722 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
68723 + if (locknext && anon_vma_prepare(vma->vm_next))
68725 anon_vma_lock(vma);
68727 + anon_vma_lock(vma->vm_next);
68730 * vma->vm_start/vm_end cannot change under us because the caller
68731 * is required to hold the mmap_sem in read mode. We need the
68732 - * anon_vma lock to serialize against concurrent expand_stacks.
68733 - * Also guard against wrapping around to address 0.
68734 + * anon_vma locks to serialize against concurrent expand_stacks
68735 + * and expand_upwards.
68737 - if (address < PAGE_ALIGN(address+4))
68738 - address = PAGE_ALIGN(address+4);
68740 - anon_vma_unlock(vma);
68745 /* Somebody else might have raced and expanded it already */
68746 - if (address > vma->vm_end) {
68747 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
68749 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
68750 unsigned long size, grow;
68752 size = address - vma->vm_start;
68753 @@ -1640,6 +1900,8 @@ int expand_upwards(struct vm_area_struct
68755 vma->vm_end = address;
68758 + anon_vma_unlock(vma->vm_next);
68759 anon_vma_unlock(vma);
68762 @@ -1652,6 +1914,8 @@ static int expand_downwards(struct vm_ar
68763 unsigned long address)
68766 + bool lockprev = false;
68767 + struct vm_area_struct *prev;
68770 * We must make sure the anon_vma is allocated
68771 @@ -1665,6 +1929,15 @@ static int expand_downwards(struct vm_ar
68775 + prev = vma->vm_prev;
68776 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
68777 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
68779 + if (lockprev && anon_vma_prepare(prev))
68782 + anon_vma_lock(prev);
68784 anon_vma_lock(vma);
68787 @@ -1674,9 +1947,17 @@ static int expand_downwards(struct vm_ar
68790 /* Somebody else might have raced and expanded it already */
68791 - if (address < vma->vm_start) {
68792 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
68794 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
68795 unsigned long size, grow;
68797 +#ifdef CONFIG_PAX_SEGMEXEC
68798 + struct vm_area_struct *vma_m;
68800 + vma_m = pax_find_mirror_vma(vma);
68803 size = vma->vm_end - address;
68804 grow = (vma->vm_start - address) >> PAGE_SHIFT;
68806 @@ -1684,9 +1965,20 @@ static int expand_downwards(struct vm_ar
68808 vma->vm_start = address;
68809 vma->vm_pgoff -= grow;
68810 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
68812 +#ifdef CONFIG_PAX_SEGMEXEC
68814 + vma_m->vm_start -= grow << PAGE_SHIFT;
68815 + vma_m->vm_pgoff -= grow;
68821 anon_vma_unlock(vma);
68823 + anon_vma_unlock(prev);
68827 @@ -1762,6 +2054,13 @@ static void remove_vma_list(struct mm_st
68829 long nrpages = vma_pages(vma);
68831 +#ifdef CONFIG_PAX_SEGMEXEC
68832 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
68833 + vma = remove_vma(vma);
68838 mm->total_vm -= nrpages;
68839 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
68840 vma = remove_vma(vma);
68841 @@ -1807,6 +2106,16 @@ detach_vmas_to_be_unmapped(struct mm_str
68842 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
68843 vma->vm_prev = NULL;
68846 +#ifdef CONFIG_PAX_SEGMEXEC
68847 + if (vma->vm_mirror) {
68848 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
68849 + vma->vm_mirror->vm_mirror = NULL;
68850 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
68851 + vma->vm_mirror = NULL;
68855 rb_erase(&vma->vm_rb, &mm->mm_rb);
68858 @@ -1834,10 +2143,25 @@ int split_vma(struct mm_struct * mm, str
68859 struct mempolicy *pol;
68860 struct vm_area_struct *new;
68862 +#ifdef CONFIG_PAX_SEGMEXEC
68863 + struct vm_area_struct *vma_m, *new_m = NULL;
68864 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
68867 if (is_vm_hugetlb_page(vma) && (addr &
68868 ~(huge_page_mask(hstate_vma(vma)))))
68871 +#ifdef CONFIG_PAX_SEGMEXEC
68872 + vma_m = pax_find_mirror_vma(vma);
68874 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
68875 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
68876 + if (mm->map_count >= sysctl_max_map_count-1)
68881 if (mm->map_count >= sysctl_max_map_count)
68884 @@ -1845,6 +2169,16 @@ int split_vma(struct mm_struct * mm, str
68888 +#ifdef CONFIG_PAX_SEGMEXEC
68890 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
68892 + kmem_cache_free(vm_area_cachep, new);
68898 /* most fields are the same, copy all, and then fixup */
68901 @@ -1855,8 +2189,29 @@ int split_vma(struct mm_struct * mm, str
68902 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
68905 +#ifdef CONFIG_PAX_SEGMEXEC
68908 + new_m->vm_mirror = new;
68909 + new->vm_mirror = new_m;
68912 + new_m->vm_end = addr_m;
68914 + new_m->vm_start = addr_m;
68915 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
68920 pol = mpol_dup(vma_policy(vma));
68923 +#ifdef CONFIG_PAX_SEGMEXEC
68925 + kmem_cache_free(vm_area_cachep, new_m);
68928 kmem_cache_free(vm_area_cachep, new);
68929 return PTR_ERR(pol);
68931 @@ -1877,6 +2232,28 @@ int split_vma(struct mm_struct * mm, str
68933 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
68935 +#ifdef CONFIG_PAX_SEGMEXEC
68938 + vma_set_policy(new_m, pol);
68940 + if (new_m->vm_file) {
68941 + get_file(new_m->vm_file);
68942 + if (vma_m->vm_flags & VM_EXECUTABLE)
68943 + added_exe_file_vma(mm);
68946 + if (new_m->vm_ops && new_m->vm_ops->open)
68947 + new_m->vm_ops->open(new_m);
68950 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
68951 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
68953 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
68960 @@ -1885,11 +2262,30 @@ int split_vma(struct mm_struct * mm, str
68961 * work. This now handles partial unmappings.
68962 * Jeremy Fitzhardinge <jeremy@goop.org>
68964 +#ifdef CONFIG_PAX_SEGMEXEC
68965 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68967 + int ret = __do_munmap(mm, start, len);
68968 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
68971 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
68974 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68976 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
68980 struct vm_area_struct *vma, *prev, *last;
68983 + * mm->mmap_sem is required to protect against another thread
68984 + * changing the mappings in case we sleep.
68986 + verify_mm_writelocked(mm);
68988 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
68991 @@ -1953,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
68992 /* Fix up all other VM information */
68993 remove_vma_list(mm, vma);
68995 + track_exec_limit(mm, start, end, 0UL);
69000 @@ -1965,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
69002 profile_munmap(addr);
69004 +#ifdef CONFIG_PAX_SEGMEXEC
69005 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
69006 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
69010 down_write(&mm->mmap_sem);
69011 ret = do_munmap(mm, addr, len);
69012 up_write(&mm->mmap_sem);
69016 -static inline void verify_mm_writelocked(struct mm_struct *mm)
69018 -#ifdef CONFIG_DEBUG_VM
69019 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
69021 - up_read(&mm->mmap_sem);
69027 * this is really a simplified "do_mmap". it only handles
69028 * anonymous maps. eventually we may be able to do some
69029 @@ -1994,6 +2388,7 @@ unsigned long do_brk(unsigned long addr,
69030 struct rb_node ** rb_link, * rb_parent;
69031 pgoff_t pgoff = addr >> PAGE_SHIFT;
69033 + unsigned long charged;
69035 len = PAGE_ALIGN(len);
69037 @@ -2005,16 +2400,30 @@ unsigned long do_brk(unsigned long addr,
69039 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
69041 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
69042 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
69043 + flags &= ~VM_EXEC;
69045 +#ifdef CONFIG_PAX_MPROTECT
69046 + if (mm->pax_flags & MF_PAX_MPROTECT)
69047 + flags &= ~VM_MAYEXEC;
69053 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
69054 if (error & ~PAGE_MASK)
69057 + charged = len >> PAGE_SHIFT;
69060 * mlock MCL_FUTURE?
69062 if (mm->def_flags & VM_LOCKED) {
69063 unsigned long locked, lock_limit;
69064 - locked = len >> PAGE_SHIFT;
69065 + locked = charged;
69066 locked += mm->locked_vm;
69067 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
69068 lock_limit >>= PAGE_SHIFT;
69069 @@ -2031,22 +2440,22 @@ unsigned long do_brk(unsigned long addr,
69071 * Clear old maps. this also does some error checking for us
69074 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69075 if (vma && vma->vm_start < addr + len) {
69076 if (do_munmap(mm, addr, len))
69078 - goto munmap_back;
69079 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
69080 + BUG_ON(vma && vma->vm_start < addr + len);
69083 /* Check against address space limits *after* clearing old maps... */
69084 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
69085 + if (!may_expand_vm(mm, charged))
69088 if (mm->map_count > sysctl_max_map_count)
69091 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
69092 + if (security_vm_enough_memory(charged))
69095 /* Can we just expand an old private anonymous mapping? */
69096 @@ -2060,7 +2469,7 @@ unsigned long do_brk(unsigned long addr,
69098 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69100 - vm_unacct_memory(len >> PAGE_SHIFT);
69101 + vm_unacct_memory(charged);
69105 @@ -2072,11 +2481,12 @@ unsigned long do_brk(unsigned long addr,
69106 vma->vm_page_prot = vm_get_page_prot(flags);
69107 vma_link(mm, vma, prev, rb_link, rb_parent);
69109 - mm->total_vm += len >> PAGE_SHIFT;
69110 + mm->total_vm += charged;
69111 if (flags & VM_LOCKED) {
69112 if (!mlock_vma_pages_range(vma, addr, addr + len))
69113 - mm->locked_vm += (len >> PAGE_SHIFT);
69114 + mm->locked_vm += charged;
69116 + track_exec_limit(mm, addr, addr + len, flags);
69120 @@ -2123,8 +2533,10 @@ void exit_mmap(struct mm_struct *mm)
69121 * Walk the list again, actually closing and freeing it,
69122 * with preemption enabled, without holding any MM locks.
69126 + vma->vm_mirror = NULL;
69127 vma = remove_vma(vma);
69130 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
69132 @@ -2138,6 +2550,10 @@ int insert_vm_struct(struct mm_struct *
69133 struct vm_area_struct * __vma, * prev;
69134 struct rb_node ** rb_link, * rb_parent;
69136 +#ifdef CONFIG_PAX_SEGMEXEC
69137 + struct vm_area_struct *vma_m = NULL;
69141 * The vm_pgoff of a purely anonymous vma should be irrelevant
69142 * until its first write fault, when page's anon_vma and index
69143 @@ -2160,7 +2576,22 @@ int insert_vm_struct(struct mm_struct *
69144 if ((vma->vm_flags & VM_ACCOUNT) &&
69145 security_vm_enough_memory_mm(mm, vma_pages(vma)))
69148 +#ifdef CONFIG_PAX_SEGMEXEC
69149 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
69150 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69156 vma_link(mm, vma, prev, rb_link, rb_parent);
69158 +#ifdef CONFIG_PAX_SEGMEXEC
69160 + pax_mirror_vma(vma_m, vma);
69166 @@ -2178,6 +2609,8 @@ struct vm_area_struct *copy_vma(struct v
69167 struct rb_node **rb_link, *rb_parent;
69168 struct mempolicy *pol;
69170 + BUG_ON(vma->vm_mirror);
69173 * If anonymous vma has not yet been faulted, update new pgoff
69174 * to match new location, to increase its chance of merging.
69175 @@ -2221,6 +2654,35 @@ struct vm_area_struct *copy_vma(struct v
69179 +#ifdef CONFIG_PAX_SEGMEXEC
69180 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
69182 + struct vm_area_struct *prev_m;
69183 + struct rb_node **rb_link_m, *rb_parent_m;
69184 + struct mempolicy *pol_m;
69186 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
69187 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
69188 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
69190 + pol_m = vma_policy(vma_m);
69192 + vma_set_policy(vma_m, pol_m);
69193 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
69194 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
69195 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
69196 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
69197 + if (vma_m->vm_file)
69198 + get_file(vma_m->vm_file);
69199 + if (vma_m->vm_ops && vma_m->vm_ops->open)
69200 + vma_m->vm_ops->open(vma_m);
69201 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
69202 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
69203 + vma_m->vm_mirror = vma;
69204 + vma->vm_mirror = vma_m;
69209 * Return true if the calling process may expand its vm space by the passed
69211 @@ -2231,7 +2693,7 @@ int may_expand_vm(struct mm_struct *mm,
69214 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
69216 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
69217 if (cur + npages > lim)
69220 @@ -2301,6 +2763,22 @@ int install_special_mapping(struct mm_st
69221 vma->vm_start = addr;
69222 vma->vm_end = addr + len;
69224 +#ifdef CONFIG_PAX_MPROTECT
69225 + if (mm->pax_flags & MF_PAX_MPROTECT) {
69226 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
69227 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
69229 + if (!(vm_flags & VM_EXEC))
69230 + vm_flags &= ~VM_MAYEXEC;
69232 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
69233 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
69236 + vm_flags &= ~VM_MAYWRITE;
69240 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
69241 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
69243 diff -urNp linux-2.6.32.43/mm/mprotect.c linux-2.6.32.43/mm/mprotect.c
69244 --- linux-2.6.32.43/mm/mprotect.c 2011-03-27 14:31:47.000000000 -0400
69245 +++ linux-2.6.32.43/mm/mprotect.c 2011-04-17 15:56:46.000000000 -0400
69246 @@ -24,10 +24,16 @@
69247 #include <linux/mmu_notifier.h>
69248 #include <linux/migrate.h>
69249 #include <linux/perf_event.h>
69251 +#ifdef CONFIG_PAX_MPROTECT
69252 +#include <linux/elf.h>
69255 #include <asm/uaccess.h>
69256 #include <asm/pgtable.h>
69257 #include <asm/cacheflush.h>
69258 #include <asm/tlbflush.h>
69259 +#include <asm/mmu_context.h>
69261 #ifndef pgprot_modify
69262 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
69263 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
69264 flush_tlb_range(vma, start, end);
69267 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69268 +/* called while holding the mmap semaphor for writing except stack expansion */
69269 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
69271 + unsigned long oldlimit, newlimit = 0UL;
69273 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
69276 + spin_lock(&mm->page_table_lock);
69277 + oldlimit = mm->context.user_cs_limit;
69278 + if ((prot & VM_EXEC) && oldlimit < end)
69279 + /* USER_CS limit moved up */
69281 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
69282 + /* USER_CS limit moved down */
69283 + newlimit = start;
69286 + mm->context.user_cs_limit = newlimit;
69290 + cpus_clear(mm->context.cpu_user_cs_mask);
69291 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
69294 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
69296 + spin_unlock(&mm->page_table_lock);
69297 + if (newlimit == end) {
69298 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
69300 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
69301 + if (is_vm_hugetlb_page(vma))
69302 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
69304 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
69310 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
69311 unsigned long start, unsigned long end, unsigned long newflags)
69312 @@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
69314 int dirty_accountable = 0;
69316 +#ifdef CONFIG_PAX_SEGMEXEC
69317 + struct vm_area_struct *vma_m = NULL;
69318 + unsigned long start_m, end_m;
69320 + start_m = start + SEGMEXEC_TASK_SIZE;
69321 + end_m = end + SEGMEXEC_TASK_SIZE;
69324 if (newflags == oldflags) {
69329 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
69330 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
69332 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
69335 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
69340 * If we make a private mapping writable we increase our commit;
69341 * but (without finer accounting) cannot reduce our commit if we
69342 @@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
69346 +#ifdef CONFIG_PAX_SEGMEXEC
69347 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
69348 + if (start != vma->vm_start) {
69349 + error = split_vma(mm, vma, start, 1);
69352 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
69353 + *pprev = (*pprev)->vm_next;
69356 + if (end != vma->vm_end) {
69357 + error = split_vma(mm, vma, end, 0);
69362 + if (pax_find_mirror_vma(vma)) {
69363 + error = __do_munmap(mm, start_m, end_m - start_m);
69367 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
69372 + vma->vm_flags = newflags;
69373 + pax_mirror_vma(vma_m, vma);
69379 * First try to merge with previous and/or next vma.
69381 @@ -195,9 +293,21 @@ success:
69382 * vm_flags and vm_page_prot are protected by the mmap_sem
69383 * held in write mode.
69386 +#ifdef CONFIG_PAX_SEGMEXEC
69387 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
69388 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
69391 vma->vm_flags = newflags;
69393 +#ifdef CONFIG_PAX_MPROTECT
69394 + if (mm->binfmt && mm->binfmt->handle_mprotect)
69395 + mm->binfmt->handle_mprotect(vma, newflags);
69398 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
69399 - vm_get_page_prot(newflags));
69400 + vm_get_page_prot(vma->vm_flags));
69402 if (vma_wants_writenotify(vma)) {
69403 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
69404 @@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69409 +#ifdef CONFIG_PAX_SEGMEXEC
69410 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69411 + if (end > SEGMEXEC_TASK_SIZE)
69416 + if (end > TASK_SIZE)
69419 if (!arch_validate_prot(prot))
69422 @@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69424 * Does the application expect PROT_READ to imply PROT_EXEC:
69426 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
69427 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
69430 vm_flags = calc_vm_prot_bits(prot);
69431 @@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69432 if (start > vma->vm_start)
69435 +#ifdef CONFIG_PAX_MPROTECT
69436 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
69437 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
69440 for (nstart = start ; ; ) {
69441 unsigned long newflags;
69443 @@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69445 /* newflags >> 4 shift VM_MAY% in place of VM_% */
69446 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
69447 + if (prot & (PROT_WRITE | PROT_EXEC))
69448 + gr_log_rwxmprotect(vma->vm_file);
69454 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
69458 @@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
69459 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
69463 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
69467 if (nstart < prev->vm_end)
69468 diff -urNp linux-2.6.32.43/mm/mremap.c linux-2.6.32.43/mm/mremap.c
69469 --- linux-2.6.32.43/mm/mremap.c 2011-04-17 17:00:52.000000000 -0400
69470 +++ linux-2.6.32.43/mm/mremap.c 2011-04-17 17:03:58.000000000 -0400
69471 @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
69473 pte = ptep_clear_flush(vma, old_addr, old_pte);
69474 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
69476 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
69477 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
69478 + pte = pte_exprotect(pte);
69481 set_pte_at(mm, new_addr, new_pte, pte);
69484 @@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
69485 if (is_vm_hugetlb_page(vma))
69488 +#ifdef CONFIG_PAX_SEGMEXEC
69489 + if (pax_find_mirror_vma(vma))
69493 /* We can't remap across vm area boundaries */
69494 if (old_len > vma->vm_end - addr)
69496 @@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
69497 unsigned long ret = -EINVAL;
69498 unsigned long charged = 0;
69499 unsigned long map_flags;
69500 + unsigned long pax_task_size = TASK_SIZE;
69502 if (new_addr & ~PAGE_MASK)
69505 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
69506 +#ifdef CONFIG_PAX_SEGMEXEC
69507 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69508 + pax_task_size = SEGMEXEC_TASK_SIZE;
69511 + pax_task_size -= PAGE_SIZE;
69513 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
69516 /* Check if the location we're moving into overlaps the
69517 * old location at all, and fail if it does.
69519 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
69522 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
69523 + if (addr + old_len > new_addr && new_addr + new_len > addr)
69526 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69527 @@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
69528 struct vm_area_struct *vma;
69529 unsigned long ret = -EINVAL;
69530 unsigned long charged = 0;
69531 + unsigned long pax_task_size = TASK_SIZE;
69533 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
69535 @@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
69539 +#ifdef CONFIG_PAX_SEGMEXEC
69540 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
69541 + pax_task_size = SEGMEXEC_TASK_SIZE;
69544 + pax_task_size -= PAGE_SIZE;
69546 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
69547 + old_len > pax_task_size || addr > pax_task_size-old_len)
69550 if (flags & MREMAP_FIXED) {
69551 if (flags & MREMAP_MAYMOVE)
69552 ret = mremap_to(addr, old_len, new_addr, new_len);
69553 @@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
69557 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
69561 @@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
69562 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
69566 + map_flags = vma->vm_flags;
69567 ret = move_vma(vma, addr, old_len, new_len, new_addr);
69568 + if (!(ret & ~PAGE_MASK)) {
69569 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
69570 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
69574 if (ret & ~PAGE_MASK)
69575 diff -urNp linux-2.6.32.43/mm/nommu.c linux-2.6.32.43/mm/nommu.c
69576 --- linux-2.6.32.43/mm/nommu.c 2011-03-27 14:31:47.000000000 -0400
69577 +++ linux-2.6.32.43/mm/nommu.c 2011-04-17 15:56:46.000000000 -0400
69578 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
69579 int sysctl_overcommit_ratio = 50; /* default is 50% */
69580 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
69581 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
69582 -int heap_stack_gap = 0;
69584 atomic_long_t mmap_pages_allocated;
69586 @@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
69587 EXPORT_SYMBOL(find_vma);
69591 - * - we don't extend stack VMAs under NOMMU conditions
69593 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
69595 - return find_vma(mm, addr);
69599 * expand a stack to a given address
69600 * - not supported under NOMMU conditions
69602 diff -urNp linux-2.6.32.43/mm/page_alloc.c linux-2.6.32.43/mm/page_alloc.c
69603 --- linux-2.6.32.43/mm/page_alloc.c 2011-06-25 12:55:35.000000000 -0400
69604 +++ linux-2.6.32.43/mm/page_alloc.c 2011-07-09 09:13:08.000000000 -0400
69605 @@ -289,7 +289,7 @@ out:
69606 * This usage means that zero-order pages may not be compound.
69609 -static void free_compound_page(struct page *page)
69610 +void free_compound_page(struct page *page)
69612 __free_pages_ok(page, compound_order(page));
69614 @@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
69616 int wasMlocked = __TestClearPageMlocked(page);
69618 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
69619 + unsigned long index = 1UL << order;
69622 kmemcheck_free_shadow(page, order);
69624 for (i = 0 ; i < (1 << order) ; ++i)
69625 @@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
69626 debug_check_no_obj_freed(page_address(page),
69627 PAGE_SIZE << order);
69630 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
69631 + for (; index; --index)
69632 + sanitize_highpage(page + index - 1);
69635 arch_free_page(page, order);
69636 kernel_map_pages(page, 1 << order, 0);
69638 @@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
69639 arch_alloc_page(page, order);
69640 kernel_map_pages(page, 1 << order, 1);
69642 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
69643 if (gfp_flags & __GFP_ZERO)
69644 prep_zero_page(page, order, gfp_flags);
69647 if (order && (gfp_flags & __GFP_COMP))
69648 prep_compound_page(page, order);
69649 @@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
69650 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
69651 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
69654 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
69655 + sanitize_highpage(page);
69658 arch_free_page(page, 0);
69659 kernel_map_pages(page, 1, 0);
69661 @@ -2179,6 +2196,8 @@ void show_free_areas(void)
69665 + pax_track_stack();
69667 for_each_populated_zone(zone) {
69669 printk("%s per-cpu:\n", zone->name);
69670 @@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
69671 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
69674 -static void inline setup_usemap(struct pglist_data *pgdat,
69675 +static inline void setup_usemap(struct pglist_data *pgdat,
69676 struct zone *zone, unsigned long zonesize) {}
69677 #endif /* CONFIG_SPARSEMEM */
69679 diff -urNp linux-2.6.32.43/mm/percpu.c linux-2.6.32.43/mm/percpu.c
69680 --- linux-2.6.32.43/mm/percpu.c 2011-03-27 14:31:47.000000000 -0400
69681 +++ linux-2.6.32.43/mm/percpu.c 2011-04-17 15:56:46.000000000 -0400
69682 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
69683 static unsigned int pcpu_last_unit_cpu __read_mostly;
69685 /* the address of the first chunk which starts with the kernel static area */
69686 -void *pcpu_base_addr __read_mostly;
69687 +void *pcpu_base_addr __read_only;
69688 EXPORT_SYMBOL_GPL(pcpu_base_addr);
69690 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
69691 diff -urNp linux-2.6.32.43/mm/rmap.c linux-2.6.32.43/mm/rmap.c
69692 --- linux-2.6.32.43/mm/rmap.c 2011-03-27 14:31:47.000000000 -0400
69693 +++ linux-2.6.32.43/mm/rmap.c 2011-04-17 15:56:46.000000000 -0400
69694 @@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
69695 /* page_table_lock to protect against threads */
69696 spin_lock(&mm->page_table_lock);
69697 if (likely(!vma->anon_vma)) {
69699 +#ifdef CONFIG_PAX_SEGMEXEC
69700 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
69703 + BUG_ON(vma_m->anon_vma);
69704 + vma_m->anon_vma = anon_vma;
69705 + list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
69709 vma->anon_vma = anon_vma;
69710 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
69712 diff -urNp linux-2.6.32.43/mm/shmem.c linux-2.6.32.43/mm/shmem.c
69713 --- linux-2.6.32.43/mm/shmem.c 2011-03-27 14:31:47.000000000 -0400
69714 +++ linux-2.6.32.43/mm/shmem.c 2011-05-18 20:09:37.000000000 -0400
69716 #include <linux/swap.h>
69717 #include <linux/ima.h>
69719 -static struct vfsmount *shm_mnt;
69720 +struct vfsmount *shm_mnt;
69722 #ifdef CONFIG_SHMEM
69724 @@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
69727 entry = shmem_swp_entry(info, index, NULL);
69732 * The more uptodate page coming down from a stacked
69733 @@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
69734 struct vm_area_struct pvma;
69737 + pax_track_stack();
69739 spol = mpol_cond_copy(&mpol,
69740 mpol_shared_policy_lookup(&info->policy, idx));
69742 @@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
69744 info = SHMEM_I(inode);
69745 inode->i_size = len-1;
69746 - if (len <= (char *)inode - (char *)info) {
69747 + if (len <= (char *)inode - (char *)info && len <= 64) {
69749 memcpy(info, symname, len);
69750 inode->i_op = &shmem_symlink_inline_operations;
69751 @@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
69754 /* Round up to L1_CACHE_BYTES to resist false sharing */
69755 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
69756 - L1_CACHE_BYTES), GFP_KERNEL);
69757 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
69761 diff -urNp linux-2.6.32.43/mm/slab.c linux-2.6.32.43/mm/slab.c
69762 --- linux-2.6.32.43/mm/slab.c 2011-03-27 14:31:47.000000000 -0400
69763 +++ linux-2.6.32.43/mm/slab.c 2011-05-04 17:56:20.000000000 -0400
69764 @@ -174,7 +174,7 @@
69766 /* Legal flag mask for kmem_cache_create(). */
69768 -# define CREATE_MASK (SLAB_RED_ZONE | \
69769 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
69770 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
69772 SLAB_STORE_USER | \
69773 @@ -182,7 +182,7 @@
69774 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
69775 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
69777 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
69778 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
69780 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
69781 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
69782 @@ -308,7 +308,7 @@ struct kmem_list3 {
69783 * Need this for bootstrapping a per node allocator.
69785 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
69786 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
69787 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
69788 #define CACHE_CACHE 0
69789 #define SIZE_AC MAX_NUMNODES
69790 #define SIZE_L3 (2 * MAX_NUMNODES)
69791 @@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
69792 if ((x)->max_freeable < i) \
69793 (x)->max_freeable = i; \
69795 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
69796 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
69797 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
69798 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
69799 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
69800 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
69801 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
69802 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
69804 #define STATS_INC_ACTIVE(x) do { } while (0)
69805 #define STATS_DEC_ACTIVE(x) do { } while (0)
69806 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
69807 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
69809 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
69810 - const struct slab *slab, void *obj)
69811 + const struct slab *slab, const void *obj)
69813 u32 offset = (obj - slab->s_mem);
69814 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
69815 @@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
69816 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
69817 sizes[INDEX_AC].cs_size,
69818 ARCH_KMALLOC_MINALIGN,
69819 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69820 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69823 if (INDEX_AC != INDEX_L3) {
69824 @@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
69825 kmem_cache_create(names[INDEX_L3].name,
69826 sizes[INDEX_L3].cs_size,
69827 ARCH_KMALLOC_MINALIGN,
69828 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69829 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69833 @@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
69834 sizes->cs_cachep = kmem_cache_create(names->name,
69836 ARCH_KMALLOC_MINALIGN,
69837 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
69838 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
69841 #ifdef CONFIG_ZONE_DMA
69842 @@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
69846 - unsigned long allochit = atomic_read(&cachep->allochit);
69847 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
69848 - unsigned long freehit = atomic_read(&cachep->freehit);
69849 - unsigned long freemiss = atomic_read(&cachep->freemiss);
69850 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
69851 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
69852 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
69853 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
69855 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
69856 allochit, allocmiss, freehit, freemiss);
69857 @@ -4471,15 +4471,66 @@ static const struct file_operations proc
69859 static int __init slab_proc_init(void)
69861 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
69862 + mode_t gr_mode = S_IRUGO;
69864 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
69865 + gr_mode = S_IRUSR;
69868 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
69869 #ifdef CONFIG_DEBUG_SLAB_LEAK
69870 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
69871 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
69875 module_init(slab_proc_init);
69878 +void check_object_size(const void *ptr, unsigned long n, bool to)
69881 +#ifdef CONFIG_PAX_USERCOPY
69882 + struct page *page;
69883 + struct kmem_cache *cachep = NULL;
69884 + struct slab *slabp;
69885 + unsigned int objnr;
69886 + unsigned long offset;
69891 + if (ZERO_OR_NULL_PTR(ptr))
69894 + if (!virt_addr_valid(ptr))
69897 + page = virt_to_head_page(ptr);
69899 + if (!PageSlab(page)) {
69900 + if (object_is_on_stack(ptr, n) == -1)
69905 + cachep = page_get_cache(page);
69906 + if (!(cachep->flags & SLAB_USERCOPY))
69909 + slabp = page_get_slab(page);
69910 + objnr = obj_to_index(cachep, slabp, ptr);
69911 + BUG_ON(objnr >= cachep->num);
69912 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
69913 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
69917 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
69921 +EXPORT_SYMBOL(check_object_size);
69924 * ksize - get the actual amount of memory allocated for a given object
69925 * @objp: Pointer to the object
69926 diff -urNp linux-2.6.32.43/mm/slob.c linux-2.6.32.43/mm/slob.c
69927 --- linux-2.6.32.43/mm/slob.c 2011-03-27 14:31:47.000000000 -0400
69928 +++ linux-2.6.32.43/mm/slob.c 2011-07-06 19:53:33.000000000 -0400
69930 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
69931 * alloc_pages() directly, allocating compound pages so the page order
69932 * does not have to be separately tracked, and also stores the exact
69933 - * allocation size in page->private so that it can be used to accurately
69934 + * allocation size in slob_page->size so that it can be used to accurately
69935 * provide ksize(). These objects are detected in kfree() because slob_page()
69936 * is false for them.
69941 #include <linux/kernel.h>
69942 +#include <linux/sched.h>
69943 #include <linux/slab.h>
69944 #include <linux/mm.h>
69945 #include <linux/swap.h> /* struct reclaim_state */
69946 @@ -100,7 +101,8 @@ struct slob_page {
69947 unsigned long flags; /* mandatory */
69948 atomic_t _count; /* mandatory */
69949 slobidx_t units; /* free units left in page */
69950 - unsigned long pad[2];
69951 + unsigned long pad[1];
69952 + unsigned long size; /* size when >=PAGE_SIZE */
69953 slob_t *free; /* first free slob_t in page */
69954 struct list_head list; /* linked list of free pages */
69956 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
69958 static inline int is_slob_page(struct slob_page *sp)
69960 - return PageSlab((struct page *)sp);
69961 + return PageSlab((struct page *)sp) && !sp->size;
69964 static inline void set_slob_page(struct slob_page *sp)
69965 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
69967 static inline struct slob_page *slob_page(const void *addr)
69969 - return (struct slob_page *)virt_to_page(addr);
69970 + return (struct slob_page *)virt_to_head_page(addr);
69974 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
69976 * Return the size of a slob block.
69978 -static slobidx_t slob_units(slob_t *s)
69979 +static slobidx_t slob_units(const slob_t *s)
69983 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
69985 * Return the next free slob block pointer after this one.
69987 -static slob_t *slob_next(slob_t *s)
69988 +static slob_t *slob_next(const slob_t *s)
69990 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
69992 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
69994 * Returns true if s is the last free block in its page.
69996 -static int slob_last(slob_t *s)
69997 +static int slob_last(const slob_t *s)
69999 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
70001 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
70005 + set_slob_page(page);
70006 return page_address(page);
70009 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
70013 - set_slob_page(sp);
70015 spin_lock_irqsave(&slob_lock, flags);
70016 sp->units = SLOB_UNITS(PAGE_SIZE);
70019 INIT_LIST_HEAD(&sp->list);
70020 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
70021 set_slob_page_free(sp, slob_list);
70022 @@ -475,10 +478,9 @@ out:
70023 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
70026 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70027 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
70030 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70034 lockdep_trace_alloc(gfp);
70035 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
70040 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
70041 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
70042 + m[0].units = size;
70043 + m[1].units = align;
70044 ret = (void *)m + align;
70046 trace_kmalloc_node(_RET_IP_, ret,
70047 @@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
70049 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
70051 - struct page *page;
70052 - page = virt_to_page(ret);
70053 - page->private = size;
70054 + struct slob_page *sp;
70055 + sp = slob_page(ret);
70059 trace_kmalloc_node(_RET_IP_, ret,
70060 size, PAGE_SIZE << order, gfp, node);
70063 - kmemleak_alloc(ret, size, 1, gfp);
70067 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
70069 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70070 + void *ret = __kmalloc_node_align(size, gfp, node, align);
70072 + if (!ZERO_OR_NULL_PTR(ret))
70073 + kmemleak_alloc(ret, size, 1, gfp);
70076 EXPORT_SYMBOL(__kmalloc_node);
70077 @@ -528,13 +542,88 @@ void kfree(const void *block)
70078 sp = slob_page(block);
70079 if (is_slob_page(sp)) {
70080 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70081 - unsigned int *m = (unsigned int *)(block - align);
70082 - slob_free(m, *m + align);
70084 + slob_t *m = (slob_t *)(block - align);
70085 + slob_free(m, m[0].units + align);
70087 + clear_slob_page(sp);
70088 + free_slob_page(sp);
70090 put_page(&sp->page);
70093 EXPORT_SYMBOL(kfree);
70095 +void check_object_size(const void *ptr, unsigned long n, bool to)
70098 +#ifdef CONFIG_PAX_USERCOPY
70099 + struct slob_page *sp;
70100 + const slob_t *free;
70101 + const void *base;
70102 + unsigned long flags;
70107 + if (ZERO_OR_NULL_PTR(ptr))
70110 + if (!virt_addr_valid(ptr))
70113 + sp = slob_page(ptr);
70114 + if (!PageSlab((struct page*)sp)) {
70115 + if (object_is_on_stack(ptr, n) == -1)
70121 + base = page_address(&sp->page);
70122 + if (base <= ptr && n <= sp->size - (ptr - base))
70127 + /* some tricky double walking to find the chunk */
70128 + spin_lock_irqsave(&slob_lock, flags);
70129 + base = (void *)((unsigned long)ptr & PAGE_MASK);
70132 + while (!slob_last(free) && (void *)free <= ptr) {
70133 + base = free + slob_units(free);
70134 + free = slob_next(free);
70137 + while (base < (void *)free) {
70138 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
70139 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
70142 + if (ptr < base + align)
70145 + offset = ptr - base - align;
70146 + if (offset >= m) {
70151 + if (n > m - offset)
70154 + spin_unlock_irqrestore(&slob_lock, flags);
70158 + spin_unlock_irqrestore(&slob_lock, flags);
70160 + pax_report_usercopy(ptr, n, to, NULL);
70164 +EXPORT_SYMBOL(check_object_size);
70166 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
70167 size_t ksize(const void *block)
70169 @@ -547,10 +636,10 @@ size_t ksize(const void *block)
70170 sp = slob_page(block);
70171 if (is_slob_page(sp)) {
70172 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
70173 - unsigned int *m = (unsigned int *)(block - align);
70174 - return SLOB_UNITS(*m) * SLOB_UNIT;
70175 + slob_t *m = (slob_t *)(block - align);
70176 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
70178 - return sp->page.private;
70181 EXPORT_SYMBOL(ksize);
70183 @@ -566,8 +655,13 @@ struct kmem_cache *kmem_cache_create(con
70185 struct kmem_cache *c;
70187 +#ifdef CONFIG_PAX_USERCOPY
70188 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
70189 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
70191 c = slob_alloc(sizeof(struct kmem_cache),
70192 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
70197 @@ -605,17 +699,25 @@ void *kmem_cache_alloc_node(struct kmem_
70201 +#ifdef CONFIG_PAX_USERCOPY
70202 + b = __kmalloc_node_align(c->size, flags, node, c->align);
70204 if (c->size < PAGE_SIZE) {
70205 b = slob_alloc(c->size, flags, c->align, node);
70206 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70207 SLOB_UNITS(c->size) * SLOB_UNIT,
70210 + struct slob_page *sp;
70212 b = slob_new_pages(flags, get_order(c->size), node);
70213 + sp = slob_page(b);
70214 + sp->size = c->size;
70215 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
70216 PAGE_SIZE << get_order(c->size),
70223 @@ -627,10 +729,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
70225 static void __kmem_cache_free(void *b, int size)
70227 - if (size < PAGE_SIZE)
70228 + struct slob_page *sp = slob_page(b);
70230 + if (is_slob_page(sp))
70231 slob_free(b, size);
70234 + clear_slob_page(sp);
70235 + free_slob_page(sp);
70237 slob_free_pages(b, get_order(size));
70241 static void kmem_rcu_free(struct rcu_head *head)
70242 @@ -643,18 +751,32 @@ static void kmem_rcu_free(struct rcu_hea
70244 void kmem_cache_free(struct kmem_cache *c, void *b)
70246 + int size = c->size;
70248 +#ifdef CONFIG_PAX_USERCOPY
70249 + if (size + c->align < PAGE_SIZE) {
70250 + size += c->align;
70255 kmemleak_free_recursive(b, c->flags);
70256 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
70257 struct slob_rcu *slob_rcu;
70258 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
70259 + slob_rcu = b + (size - sizeof(struct slob_rcu));
70260 INIT_RCU_HEAD(&slob_rcu->head);
70261 - slob_rcu->size = c->size;
70262 + slob_rcu->size = size;
70263 call_rcu(&slob_rcu->head, kmem_rcu_free);
70265 - __kmem_cache_free(b, c->size);
70266 + __kmem_cache_free(b, size);
70269 +#ifdef CONFIG_PAX_USERCOPY
70270 + trace_kfree(_RET_IP_, b);
70272 trace_kmem_cache_free(_RET_IP_, b);
70276 EXPORT_SYMBOL(kmem_cache_free);
70278 diff -urNp linux-2.6.32.43/mm/slub.c linux-2.6.32.43/mm/slub.c
70279 --- linux-2.6.32.43/mm/slub.c 2011-03-27 14:31:47.000000000 -0400
70280 +++ linux-2.6.32.43/mm/slub.c 2011-04-17 15:56:46.000000000 -0400
70281 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
70285 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
70286 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
70287 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
70290 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
70292 page = virt_to_head_page(x);
70294 + BUG_ON(!PageSlab(page));
70296 slab_free(s, page, x, _RET_IP_);
70298 trace_kmem_cache_free(_RET_IP_, x);
70299 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
70300 * Merge control. If this is set then no merging of slab caches will occur.
70301 * (Could be removed. This was introduced to pacify the merge skeptics.)
70303 -static int slub_nomerge;
70304 +static int slub_nomerge = 1;
70307 * Calculate the order of allocation given an slab object size.
70308 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
70309 * list to avoid pounding the page allocator excessively.
70311 set_min_partial(s, ilog2(s->size));
70313 + atomic_set(&s->refcount, 1);
70315 s->remote_node_defrag_ratio = 1000;
70317 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
70318 void kmem_cache_destroy(struct kmem_cache *s)
70320 down_write(&slub_lock);
70322 - if (!s->refcount) {
70323 + if (atomic_dec_and_test(&s->refcount)) {
70324 list_del(&s->list);
70325 up_write(&slub_lock);
70326 if (kmem_cache_close(s)) {
70327 @@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
70328 __setup("slub_nomerge", setup_slub_nomerge);
70330 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
70331 - const char *name, int size, gfp_t gfp_flags)
70332 + const char *name, int size, gfp_t gfp_flags, unsigned int flags)
70334 - unsigned int flags = 0;
70336 if (gfp_flags & SLUB_DMA)
70337 - flags = SLAB_CACHE_DMA;
70338 + flags |= SLAB_CACHE_DMA;
70341 * This function is called with IRQs disabled during early-boot on
70342 @@ -2915,6 +2914,46 @@ void *__kmalloc_node(size_t size, gfp_t
70343 EXPORT_SYMBOL(__kmalloc_node);
70346 +void check_object_size(const void *ptr, unsigned long n, bool to)
70349 +#ifdef CONFIG_PAX_USERCOPY
70350 + struct page *page;
70351 + struct kmem_cache *s = NULL;
70352 + unsigned long offset;
70357 + if (ZERO_OR_NULL_PTR(ptr))
70360 + if (!virt_addr_valid(ptr))
70363 + page = get_object_page(ptr);
70366 + if (object_is_on_stack(ptr, n) == -1)
70372 + if (!(s->flags & SLAB_USERCOPY))
70375 + offset = (ptr - page_address(page)) % s->size;
70376 + if (offset <= s->objsize && n <= s->objsize - offset)
70380 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
70384 +EXPORT_SYMBOL(check_object_size);
70386 size_t ksize(const void *object)
70389 @@ -3185,8 +3224,8 @@ void __init kmem_cache_init(void)
70390 * kmem_cache_open for slab_state == DOWN.
70392 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
70393 - sizeof(struct kmem_cache_node), GFP_NOWAIT);
70394 - kmalloc_caches[0].refcount = -1;
70395 + sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
70396 + atomic_set(&kmalloc_caches[0].refcount, -1);
70399 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
70400 @@ -3198,18 +3237,18 @@ void __init kmem_cache_init(void)
70401 /* Caches that are not of the two-to-the-power-of size */
70402 if (KMALLOC_MIN_SIZE <= 32) {
70403 create_kmalloc_cache(&kmalloc_caches[1],
70404 - "kmalloc-96", 96, GFP_NOWAIT);
70405 + "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
70408 if (KMALLOC_MIN_SIZE <= 64) {
70409 create_kmalloc_cache(&kmalloc_caches[2],
70410 - "kmalloc-192", 192, GFP_NOWAIT);
70411 + "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
70415 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
70416 create_kmalloc_cache(&kmalloc_caches[i],
70417 - "kmalloc", 1 << i, GFP_NOWAIT);
70418 + "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
70422 @@ -3293,7 +3332,7 @@ static int slab_unmergeable(struct kmem_
70424 * We may have set a slab to be unmergeable during bootstrap.
70426 - if (s->refcount < 0)
70427 + if (atomic_read(&s->refcount) < 0)
70431 @@ -3353,7 +3392,7 @@ struct kmem_cache *kmem_cache_create(con
70436 + atomic_inc(&s->refcount);
70438 * Adjust the object sizes so that we clear
70439 * the complete object on kzalloc.
70440 @@ -3372,7 +3411,7 @@ struct kmem_cache *kmem_cache_create(con
70442 if (sysfs_slab_alias(s, name)) {
70443 down_write(&slub_lock);
70445 + atomic_dec(&s->refcount);
70446 up_write(&slub_lock);
70449 @@ -4101,7 +4140,7 @@ SLAB_ATTR_RO(ctor);
70451 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
70453 - return sprintf(buf, "%d\n", s->refcount - 1);
70454 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
70456 SLAB_ATTR_RO(aliases);
70458 @@ -4503,7 +4542,7 @@ static void kmem_cache_release(struct ko
70462 -static struct sysfs_ops slab_sysfs_ops = {
70463 +static const struct sysfs_ops slab_sysfs_ops = {
70464 .show = slab_attr_show,
70465 .store = slab_attr_store,
70467 @@ -4522,7 +4561,7 @@ static int uevent_filter(struct kset *ks
70471 -static struct kset_uevent_ops slab_uevent_ops = {
70472 +static const struct kset_uevent_ops slab_uevent_ops = {
70473 .filter = uevent_filter,
70476 @@ -4785,7 +4824,13 @@ static const struct file_operations proc
70478 static int __init slab_proc_init(void)
70480 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
70481 + mode_t gr_mode = S_IRUGO;
70483 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70484 + gr_mode = S_IRUSR;
70487 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
70490 module_init(slab_proc_init);
70491 diff -urNp linux-2.6.32.43/mm/swap.c linux-2.6.32.43/mm/swap.c
70492 --- linux-2.6.32.43/mm/swap.c 2011-03-27 14:31:47.000000000 -0400
70493 +++ linux-2.6.32.43/mm/swap.c 2011-07-09 09:15:19.000000000 -0400
70495 #include <linux/notifier.h>
70496 #include <linux/backing-dev.h>
70497 #include <linux/memcontrol.h>
70498 +#include <linux/hugetlb.h>
70500 #include "internal.h"
70502 @@ -65,6 +66,8 @@ static void put_compound_page(struct pag
70503 compound_page_dtor *dtor;
70505 dtor = get_compound_page_dtor(page);
70506 + if (!PageHuge(page))
70507 + BUG_ON(dtor != free_compound_page);
70511 diff -urNp linux-2.6.32.43/mm/util.c linux-2.6.32.43/mm/util.c
70512 --- linux-2.6.32.43/mm/util.c 2011-03-27 14:31:47.000000000 -0400
70513 +++ linux-2.6.32.43/mm/util.c 2011-04-17 15:56:46.000000000 -0400
70514 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
70515 void arch_pick_mmap_layout(struct mm_struct *mm)
70517 mm->mmap_base = TASK_UNMAPPED_BASE;
70519 +#ifdef CONFIG_PAX_RANDMMAP
70520 + if (mm->pax_flags & MF_PAX_RANDMMAP)
70521 + mm->mmap_base += mm->delta_mmap;
70524 mm->get_unmapped_area = arch_get_unmapped_area;
70525 mm->unmap_area = arch_unmap_area;
70527 diff -urNp linux-2.6.32.43/mm/vmalloc.c linux-2.6.32.43/mm/vmalloc.c
70528 --- linux-2.6.32.43/mm/vmalloc.c 2011-03-27 14:31:47.000000000 -0400
70529 +++ linux-2.6.32.43/mm/vmalloc.c 2011-04-17 15:56:46.000000000 -0400
70530 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
70532 pte = pte_offset_kernel(pmd, addr);
70534 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
70535 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
70537 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70538 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
70539 + BUG_ON(!pte_exec(*pte));
70540 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
70546 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
70547 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
70549 } while (pte++, addr += PAGE_SIZE, addr != end);
70552 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
70553 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
70556 + int ret = -ENOMEM;
70559 * nr is a running index into the array which helps higher level
70560 @@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
70561 pte = pte_alloc_kernel(pmd, addr);
70565 + pax_open_kernel();
70567 struct page *page = pages[*nr];
70569 - if (WARN_ON(!pte_none(*pte)))
70571 - if (WARN_ON(!page))
70573 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70574 + if (!(pgprot_val(prot) & _PAGE_NX))
70575 + BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
70579 + if (WARN_ON(!pte_none(*pte))) {
70583 + if (WARN_ON(!page)) {
70587 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
70589 } while (pte++, addr += PAGE_SIZE, addr != end);
70593 + pax_close_kernel();
70597 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
70598 @@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
70599 * and fall back on vmalloc() if that fails. Others
70600 * just put it in the vmalloc space.
70602 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
70603 +#ifdef CONFIG_MODULES
70604 +#ifdef MODULES_VADDR
70605 unsigned long addr = (unsigned long)x;
70606 if (addr >= MODULES_VADDR && addr < MODULES_END)
70610 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
70611 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
70617 return is_vmalloc_addr(x);
70620 @@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
70622 if (!pgd_none(*pgd)) {
70623 pud_t *pud = pud_offset(pgd, addr);
70625 + if (!pud_large(*pud))
70627 if (!pud_none(*pud)) {
70628 pmd_t *pmd = pmd_offset(pud, addr);
70630 + if (!pmd_large(*pmd))
70632 if (!pmd_none(*pmd)) {
70635 @@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
70636 struct rb_node *tmp;
70639 - struct vmap_area *tmp;
70640 + struct vmap_area *varea;
70643 - tmp = rb_entry(parent, struct vmap_area, rb_node);
70644 - if (va->va_start < tmp->va_end)
70645 + varea = rb_entry(parent, struct vmap_area, rb_node);
70646 + if (va->va_start < varea->va_end)
70647 p = &(*p)->rb_left;
70648 - else if (va->va_end > tmp->va_start)
70649 + else if (va->va_end > varea->va_start)
70650 p = &(*p)->rb_right;
70653 @@ -1232,6 +1274,16 @@ static struct vm_struct *__get_vm_area_n
70654 struct vm_struct *area;
70656 BUG_ON(in_interrupt());
70658 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70659 + if (flags & VM_KERNEXEC) {
70660 + if (start != VMALLOC_START || end != VMALLOC_END)
70662 + start = (unsigned long)MODULES_EXEC_VADDR;
70663 + end = (unsigned long)MODULES_EXEC_END;
70667 if (flags & VM_IOREMAP) {
70668 int bit = fls(size);
70670 @@ -1457,6 +1509,11 @@ void *vmap(struct page **pages, unsigned
70671 if (count > totalram_pages)
70674 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70675 + if (!(pgprot_val(prot) & _PAGE_NX))
70676 + flags |= VM_KERNEXEC;
70679 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
70680 __builtin_return_address(0));
70682 @@ -1567,6 +1624,13 @@ static void *__vmalloc_node(unsigned lon
70683 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
70686 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
70687 + if (!(pgprot_val(prot) & _PAGE_NX))
70688 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
70689 + node, gfp_mask, caller);
70693 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
70694 VMALLOC_END, node, gfp_mask, caller);
70696 @@ -1585,6 +1649,7 @@ static void *__vmalloc_node(unsigned lon
70701 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
70703 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
70704 @@ -1601,6 +1666,7 @@ EXPORT_SYMBOL(__vmalloc);
70705 * For tight control over page level allocator and protection flags
70706 * use __vmalloc() instead.
70709 void *vmalloc(unsigned long size)
70711 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
70712 @@ -1615,6 +1681,7 @@ EXPORT_SYMBOL(vmalloc);
70713 * The resulting memory area is zeroed so it can be mapped to userspace
70714 * without leaking data.
70716 +#undef vmalloc_user
70717 void *vmalloc_user(unsigned long size)
70719 struct vm_struct *area;
70720 @@ -1642,6 +1709,7 @@ EXPORT_SYMBOL(vmalloc_user);
70721 * For tight control over page level allocator and protection flags
70722 * use __vmalloc() instead.
70724 +#undef vmalloc_node
70725 void *vmalloc_node(unsigned long size, int node)
70727 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
70728 @@ -1664,10 +1732,10 @@ EXPORT_SYMBOL(vmalloc_node);
70729 * For tight control over page level allocator and protection flags
70730 * use __vmalloc() instead.
70733 +#undef vmalloc_exec
70734 void *vmalloc_exec(unsigned long size)
70736 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
70737 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
70738 -1, __builtin_return_address(0));
70741 @@ -1686,6 +1754,7 @@ void *vmalloc_exec(unsigned long size)
70742 * Allocate enough 32bit PA addressable pages to cover @size from the
70743 * page level allocator and map them into contiguous kernel virtual space.
70746 void *vmalloc_32(unsigned long size)
70748 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
70749 @@ -1700,6 +1769,7 @@ EXPORT_SYMBOL(vmalloc_32);
70750 * The resulting memory area is 32bit addressable and zeroed so it can be
70751 * mapped to userspace without leaking data.
70753 +#undef vmalloc_32_user
70754 void *vmalloc_32_user(unsigned long size)
70756 struct vm_struct *area;
70757 @@ -1964,6 +2034,8 @@ int remap_vmalloc_range(struct vm_area_s
70758 unsigned long uaddr = vma->vm_start;
70759 unsigned long usize = vma->vm_end - vma->vm_start;
70761 + BUG_ON(vma->vm_mirror);
70763 if ((PAGE_SIZE-1) & (unsigned long)addr)
70766 diff -urNp linux-2.6.32.43/mm/vmstat.c linux-2.6.32.43/mm/vmstat.c
70767 --- linux-2.6.32.43/mm/vmstat.c 2011-03-27 14:31:47.000000000 -0400
70768 +++ linux-2.6.32.43/mm/vmstat.c 2011-04-17 15:56:46.000000000 -0400
70769 @@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
70771 * vm_stat contains the global counters
70773 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
70774 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
70775 EXPORT_SYMBOL(vm_stat);
70778 @@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
70779 v = p->vm_stat_diff[i];
70780 p->vm_stat_diff[i] = 0;
70781 local_irq_restore(flags);
70782 - atomic_long_add(v, &zone->vm_stat[i]);
70783 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
70784 global_diff[i] += v;
70786 /* 3 seconds idle till flush */
70787 @@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
70789 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
70790 if (global_diff[i])
70791 - atomic_long_add(global_diff[i], &vm_stat[i]);
70792 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
70796 @@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
70797 start_cpu_timer(cpu);
70799 #ifdef CONFIG_PROC_FS
70800 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
70801 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
70802 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
70803 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
70805 + mode_t gr_mode = S_IRUGO;
70806 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
70807 + gr_mode = S_IRUSR;
70809 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
70810 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
70811 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
70812 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
70814 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
70816 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
70821 diff -urNp linux-2.6.32.43/net/8021q/vlan.c linux-2.6.32.43/net/8021q/vlan.c
70822 --- linux-2.6.32.43/net/8021q/vlan.c 2011-03-27 14:31:47.000000000 -0400
70823 +++ linux-2.6.32.43/net/8021q/vlan.c 2011-04-17 15:56:46.000000000 -0400
70824 @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
70826 if (!capable(CAP_NET_ADMIN))
70828 - if ((args.u.name_type >= 0) &&
70829 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
70830 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
70831 struct vlan_net *vn;
70833 vn = net_generic(net, vlan_net_id);
70834 diff -urNp linux-2.6.32.43/net/atm/atm_misc.c linux-2.6.32.43/net/atm/atm_misc.c
70835 --- linux-2.6.32.43/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400
70836 +++ linux-2.6.32.43/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400
70837 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
70838 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
70840 atm_return(vcc,truesize);
70841 - atomic_inc(&vcc->stats->rx_drop);
70842 + atomic_inc_unchecked(&vcc->stats->rx_drop);
70846 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
70849 atm_return(vcc,guess);
70850 - atomic_inc(&vcc->stats->rx_drop);
70851 + atomic_inc_unchecked(&vcc->stats->rx_drop);
70855 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
70857 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
70859 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
70860 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
70862 #undef __HANDLE_ITEM
70864 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
70866 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
70868 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
70869 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
70871 #undef __HANDLE_ITEM
70873 diff -urNp linux-2.6.32.43/net/atm/lec.h linux-2.6.32.43/net/atm/lec.h
70874 --- linux-2.6.32.43/net/atm/lec.h 2011-03-27 14:31:47.000000000 -0400
70875 +++ linux-2.6.32.43/net/atm/lec.h 2011-08-05 20:33:55.000000000 -0400
70876 @@ -48,7 +48,7 @@ struct lane2_ops {
70877 const u8 *tlvs, u32 sizeoftlvs);
70878 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
70879 const u8 *tlvs, u32 sizeoftlvs);
70884 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
70885 diff -urNp linux-2.6.32.43/net/atm/mpc.c linux-2.6.32.43/net/atm/mpc.c
70886 --- linux-2.6.32.43/net/atm/mpc.c 2011-03-27 14:31:47.000000000 -0400
70887 +++ linux-2.6.32.43/net/atm/mpc.c 2011-08-05 20:33:55.000000000 -0400
70888 @@ -291,8 +291,8 @@ static void start_mpc(struct mpoa_client
70889 printk("mpoa: (%s) start_mpc not starting\n", dev->name);
70891 mpc->old_ops = dev->netdev_ops;
70892 - mpc->new_ops = *mpc->old_ops;
70893 - mpc->new_ops.ndo_start_xmit = mpc_send_packet;
70894 + memcpy((void *)&mpc->new_ops, mpc->old_ops, sizeof(mpc->new_ops));
70895 + *(void **)&mpc->new_ops.ndo_start_xmit = mpc_send_packet;
70896 dev->netdev_ops = &mpc->new_ops;
70899 diff -urNp linux-2.6.32.43/net/atm/mpoa_caches.c linux-2.6.32.43/net/atm/mpoa_caches.c
70900 --- linux-2.6.32.43/net/atm/mpoa_caches.c 2011-03-27 14:31:47.000000000 -0400
70901 +++ linux-2.6.32.43/net/atm/mpoa_caches.c 2011-05-16 21:46:57.000000000 -0400
70902 @@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
70903 struct timeval now;
70904 struct k_message msg;
70906 + pax_track_stack();
70908 do_gettimeofday(&now);
70910 write_lock_irq(&client->egress_lock);
70911 diff -urNp linux-2.6.32.43/net/atm/proc.c linux-2.6.32.43/net/atm/proc.c
70912 --- linux-2.6.32.43/net/atm/proc.c 2011-03-27 14:31:47.000000000 -0400
70913 +++ linux-2.6.32.43/net/atm/proc.c 2011-04-17 15:56:46.000000000 -0400
70914 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
70915 const struct k_atm_aal_stats *stats)
70917 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
70918 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
70919 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
70920 - atomic_read(&stats->rx_drop));
70921 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
70922 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
70923 + atomic_read_unchecked(&stats->rx_drop));
70926 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
70927 @@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
70929 struct sock *sk = sk_atm(vcc);
70931 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70932 + seq_printf(seq, "%p ", NULL);
70934 seq_printf(seq, "%p ", vcc);
70938 seq_printf(seq, "Unassigned ");
70940 @@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
70943 seq_printf(seq, sizeof(void *) == 4 ?
70944 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70945 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
70947 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
70950 seq_printf(seq, "%3d %3d %5d ",
70951 vcc->dev->number, vcc->vpi, vcc->vci);
70952 diff -urNp linux-2.6.32.43/net/atm/resources.c linux-2.6.32.43/net/atm/resources.c
70953 --- linux-2.6.32.43/net/atm/resources.c 2011-03-27 14:31:47.000000000 -0400
70954 +++ linux-2.6.32.43/net/atm/resources.c 2011-04-17 15:56:46.000000000 -0400
70955 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
70956 static void copy_aal_stats(struct k_atm_aal_stats *from,
70957 struct atm_aal_stats *to)
70959 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
70960 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
70962 #undef __HANDLE_ITEM
70964 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
70965 static void subtract_aal_stats(struct k_atm_aal_stats *from,
70966 struct atm_aal_stats *to)
70968 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
70969 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
70971 #undef __HANDLE_ITEM
70973 diff -urNp linux-2.6.32.43/net/bluetooth/l2cap.c linux-2.6.32.43/net/bluetooth/l2cap.c
70974 --- linux-2.6.32.43/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
70975 +++ linux-2.6.32.43/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
70976 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
70981 + memset(&cinfo, 0, sizeof(cinfo));
70982 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
70983 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
70985 @@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
70987 /* Reject if config buffer is too small. */
70988 len = cmd_len - sizeof(*req);
70989 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
70990 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
70991 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
70992 l2cap_build_conf_rsp(sk, rsp,
70993 L2CAP_CONF_REJECT, flags), rsp);
70994 diff -urNp linux-2.6.32.43/net/bluetooth/rfcomm/sock.c linux-2.6.32.43/net/bluetooth/rfcomm/sock.c
70995 --- linux-2.6.32.43/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
70996 +++ linux-2.6.32.43/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
70997 @@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
70999 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
71001 + memset(&cinfo, 0, sizeof(cinfo));
71002 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
71003 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
71005 diff -urNp linux-2.6.32.43/net/bridge/br_private.h linux-2.6.32.43/net/bridge/br_private.h
71006 --- linux-2.6.32.43/net/bridge/br_private.h 2011-03-27 14:31:47.000000000 -0400
71007 +++ linux-2.6.32.43/net/bridge/br_private.h 2011-04-17 15:56:46.000000000 -0400
71008 @@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
71010 #ifdef CONFIG_SYSFS
71011 /* br_sysfs_if.c */
71012 -extern struct sysfs_ops brport_sysfs_ops;
71013 +extern const struct sysfs_ops brport_sysfs_ops;
71014 extern int br_sysfs_addif(struct net_bridge_port *p);
71016 /* br_sysfs_br.c */
71017 diff -urNp linux-2.6.32.43/net/bridge/br_stp_if.c linux-2.6.32.43/net/bridge/br_stp_if.c
71018 --- linux-2.6.32.43/net/bridge/br_stp_if.c 2011-03-27 14:31:47.000000000 -0400
71019 +++ linux-2.6.32.43/net/bridge/br_stp_if.c 2011-04-17 15:56:46.000000000 -0400
71020 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
71021 char *envp[] = { NULL };
71023 if (br->stp_enabled == BR_USER_STP) {
71024 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
71025 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
71026 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
71029 diff -urNp linux-2.6.32.43/net/bridge/br_sysfs_if.c linux-2.6.32.43/net/bridge/br_sysfs_if.c
71030 --- linux-2.6.32.43/net/bridge/br_sysfs_if.c 2011-03-27 14:31:47.000000000 -0400
71031 +++ linux-2.6.32.43/net/bridge/br_sysfs_if.c 2011-04-17 15:56:46.000000000 -0400
71032 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
71036 -struct sysfs_ops brport_sysfs_ops = {
71037 +const struct sysfs_ops brport_sysfs_ops = {
71038 .show = brport_show,
71039 .store = brport_store,
71041 diff -urNp linux-2.6.32.43/net/bridge/netfilter/ebtables.c linux-2.6.32.43/net/bridge/netfilter/ebtables.c
71042 --- linux-2.6.32.43/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:52.000000000 -0400
71043 +++ linux-2.6.32.43/net/bridge/netfilter/ebtables.c 2011-05-16 21:46:57.000000000 -0400
71044 @@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
71045 unsigned int entries_size, nentries;
71048 + pax_track_stack();
71050 if (cmd == EBT_SO_GET_ENTRIES) {
71051 entries_size = t->private->entries_size;
71052 nentries = t->private->nentries;
71053 diff -urNp linux-2.6.32.43/net/can/bcm.c linux-2.6.32.43/net/can/bcm.c
71054 --- linux-2.6.32.43/net/can/bcm.c 2011-05-10 22:12:01.000000000 -0400
71055 +++ linux-2.6.32.43/net/can/bcm.c 2011-05-10 22:12:34.000000000 -0400
71056 @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
71057 struct bcm_sock *bo = bcm_sk(sk);
71060 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71061 + seq_printf(m, ">>> socket %p", NULL);
71062 + seq_printf(m, " / sk %p", NULL);
71063 + seq_printf(m, " / bo %p", NULL);
71065 seq_printf(m, ">>> socket %p", sk->sk_socket);
71066 seq_printf(m, " / sk %p", sk);
71067 seq_printf(m, " / bo %p", bo);
71069 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
71070 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
71071 seq_printf(m, " <<<\n");
71072 diff -urNp linux-2.6.32.43/net/core/dev.c linux-2.6.32.43/net/core/dev.c
71073 --- linux-2.6.32.43/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400
71074 +++ linux-2.6.32.43/net/core/dev.c 2011-08-05 20:33:55.000000000 -0400
71075 @@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
71076 if (no_module && capable(CAP_NET_ADMIN))
71077 no_module = request_module("netdev-%s", name);
71078 if (no_module && capable(CAP_SYS_MODULE)) {
71079 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
71080 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
71082 if (!request_module("%s", name))
71083 pr_err("Loading kernel module for a network device "
71084 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
71085 "instead\n", name);
71089 EXPORT_SYMBOL(dev_load);
71090 @@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
71092 struct dev_gso_cb {
71093 void (*destructor)(struct sk_buff *skb);
71097 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
71099 @@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
71101 EXPORT_SYMBOL(netif_rx_ni);
71103 -static void net_tx_action(struct softirq_action *h)
71104 +static void net_tx_action(void)
71106 struct softnet_data *sd = &__get_cpu_var(softnet_data);
71108 @@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
71109 EXPORT_SYMBOL(netif_napi_del);
71112 -static void net_rx_action(struct softirq_action *h)
71113 +static void net_rx_action(void)
71115 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
71116 unsigned long time_limit = jiffies + 2;
71117 diff -urNp linux-2.6.32.43/net/core/flow.c linux-2.6.32.43/net/core/flow.c
71118 --- linux-2.6.32.43/net/core/flow.c 2011-03-27 14:31:47.000000000 -0400
71119 +++ linux-2.6.32.43/net/core/flow.c 2011-05-04 17:56:20.000000000 -0400
71120 @@ -35,11 +35,11 @@ struct flow_cache_entry {
71121 atomic_t *object_ref;
71124 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
71125 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
71127 static u32 flow_hash_shift;
71128 #define flow_hash_size (1 << flow_hash_shift)
71129 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
71130 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
71132 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
71134 @@ -52,7 +52,7 @@ struct flow_percpu_info {
71138 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
71139 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
71141 #define flow_hash_rnd_recalc(cpu) \
71142 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
71143 @@ -69,7 +69,7 @@ struct flow_flush_info {
71145 struct completion completion;
71147 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
71148 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
71150 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
71152 @@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
71153 if (fle->family == family &&
71155 flow_key_compare(key, &fle->key) == 0) {
71156 - if (fle->genid == atomic_read(&flow_cache_genid)) {
71157 + if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
71158 void *ret = fle->object;
71161 @@ -228,7 +228,7 @@ nocache:
71162 err = resolver(net, key, family, dir, &obj, &obj_ref);
71165 - fle->genid = atomic_read(&flow_cache_genid);
71166 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
71169 atomic_dec(fle->object_ref);
71170 @@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
71172 fle = flow_table(cpu)[i];
71173 for (; fle; fle = fle->next) {
71174 - unsigned genid = atomic_read(&flow_cache_genid);
71175 + unsigned genid = atomic_read_unchecked(&flow_cache_genid);
71177 if (!fle->object || fle->genid == genid)
71179 diff -urNp linux-2.6.32.43/net/core/rtnetlink.c linux-2.6.32.43/net/core/rtnetlink.c
71180 --- linux-2.6.32.43/net/core/rtnetlink.c 2011-03-27 14:31:47.000000000 -0400
71181 +++ linux-2.6.32.43/net/core/rtnetlink.c 2011-08-05 20:33:55.000000000 -0400
71182 @@ -57,7 +57,7 @@ struct rtnl_link
71184 rtnl_doit_func doit;
71185 rtnl_dumpit_func dumpit;
71189 static DEFINE_MUTEX(rtnl_mutex);
71191 diff -urNp linux-2.6.32.43/net/core/skbuff.c linux-2.6.32.43/net/core/skbuff.c
71192 --- linux-2.6.32.43/net/core/skbuff.c 2011-03-27 14:31:47.000000000 -0400
71193 +++ linux-2.6.32.43/net/core/skbuff.c 2011-05-16 21:46:57.000000000 -0400
71194 @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
71195 struct sk_buff *frag_iter;
71196 struct sock *sk = skb->sk;
71198 + pax_track_stack();
71201 * __skb_splice_bits() only fails if the output has no room left,
71202 * so no point in going over the frag_list for the error case.
71203 diff -urNp linux-2.6.32.43/net/core/sock.c linux-2.6.32.43/net/core/sock.c
71204 --- linux-2.6.32.43/net/core/sock.c 2011-03-27 14:31:47.000000000 -0400
71205 +++ linux-2.6.32.43/net/core/sock.c 2011-05-04 17:56:20.000000000 -0400
71206 @@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
71211 + struct ucred peercred;
71212 if (len > sizeof(sk->sk_peercred))
71213 len = sizeof(sk->sk_peercred);
71214 - if (copy_to_user(optval, &sk->sk_peercred, len))
71215 + peercred = sk->sk_peercred;
71216 + if (copy_to_user(optval, &peercred, len))
71223 @@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
71226 atomic_set(&sk->sk_refcnt, 1);
71227 - atomic_set(&sk->sk_drops, 0);
71228 + atomic_set_unchecked(&sk->sk_drops, 0);
71230 EXPORT_SYMBOL(sock_init_data);
71232 diff -urNp linux-2.6.32.43/net/decnet/sysctl_net_decnet.c linux-2.6.32.43/net/decnet/sysctl_net_decnet.c
71233 --- linux-2.6.32.43/net/decnet/sysctl_net_decnet.c 2011-03-27 14:31:47.000000000 -0400
71234 +++ linux-2.6.32.43/net/decnet/sysctl_net_decnet.c 2011-04-17 15:56:46.000000000 -0400
71235 @@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
71237 if (len > *lenp) len = *lenp;
71239 - if (copy_to_user(buffer, addr, len))
71240 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
71244 @@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
71246 if (len > *lenp) len = *lenp;
71248 - if (copy_to_user(buffer, devname, len))
71249 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
71253 diff -urNp linux-2.6.32.43/net/econet/Kconfig linux-2.6.32.43/net/econet/Kconfig
71254 --- linux-2.6.32.43/net/econet/Kconfig 2011-03-27 14:31:47.000000000 -0400
71255 +++ linux-2.6.32.43/net/econet/Kconfig 2011-04-17 15:56:46.000000000 -0400
71259 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
71260 - depends on EXPERIMENTAL && INET
71261 + depends on EXPERIMENTAL && INET && BROKEN
71263 Econet is a fairly old and slow networking protocol mainly used by
71264 Acorn computers to access file and print servers. It uses native
71265 diff -urNp linux-2.6.32.43/net/ieee802154/dgram.c linux-2.6.32.43/net/ieee802154/dgram.c
71266 --- linux-2.6.32.43/net/ieee802154/dgram.c 2011-03-27 14:31:47.000000000 -0400
71267 +++ linux-2.6.32.43/net/ieee802154/dgram.c 2011-05-04 17:56:28.000000000 -0400
71268 @@ -318,7 +318,7 @@ out:
71269 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
71271 if (sock_queue_rcv_skb(sk, skb) < 0) {
71272 - atomic_inc(&sk->sk_drops);
71273 + atomic_inc_unchecked(&sk->sk_drops);
71275 return NET_RX_DROP;
71277 diff -urNp linux-2.6.32.43/net/ieee802154/raw.c linux-2.6.32.43/net/ieee802154/raw.c
71278 --- linux-2.6.32.43/net/ieee802154/raw.c 2011-03-27 14:31:47.000000000 -0400
71279 +++ linux-2.6.32.43/net/ieee802154/raw.c 2011-05-04 17:56:28.000000000 -0400
71280 @@ -206,7 +206,7 @@ out:
71281 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
71283 if (sock_queue_rcv_skb(sk, skb) < 0) {
71284 - atomic_inc(&sk->sk_drops);
71285 + atomic_inc_unchecked(&sk->sk_drops);
71287 return NET_RX_DROP;
71289 diff -urNp linux-2.6.32.43/net/ipv4/inet_diag.c linux-2.6.32.43/net/ipv4/inet_diag.c
71290 --- linux-2.6.32.43/net/ipv4/inet_diag.c 2011-07-13 17:23:04.000000000 -0400
71291 +++ linux-2.6.32.43/net/ipv4/inet_diag.c 2011-06-20 19:31:13.000000000 -0400
71292 @@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
71293 r->idiag_retrans = 0;
71295 r->id.idiag_if = sk->sk_bound_dev_if;
71296 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71297 + r->id.idiag_cookie[0] = 0;
71298 + r->id.idiag_cookie[1] = 0;
71300 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
71301 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
71304 r->id.idiag_sport = inet->sport;
71305 r->id.idiag_dport = inet->dport;
71306 @@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
71307 r->idiag_family = tw->tw_family;
71308 r->idiag_retrans = 0;
71309 r->id.idiag_if = tw->tw_bound_dev_if;
71311 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71312 + r->id.idiag_cookie[0] = 0;
71313 + r->id.idiag_cookie[1] = 0;
71315 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
71316 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
71319 r->id.idiag_sport = tw->tw_sport;
71320 r->id.idiag_dport = tw->tw_dport;
71321 r->id.idiag_src[0] = tw->tw_rcv_saddr;
71322 @@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
71326 +#ifndef CONFIG_GRKERNSEC_HIDESYM
71328 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
71329 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
71330 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
71331 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
71336 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
71337 @@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
71338 r->idiag_retrans = req->retrans;
71340 r->id.idiag_if = sk->sk_bound_dev_if;
71342 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71343 + r->id.idiag_cookie[0] = 0;
71344 + r->id.idiag_cookie[1] = 0;
71346 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
71347 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
71350 tmo = req->expires - jiffies;
71352 diff -urNp linux-2.6.32.43/net/ipv4/inet_hashtables.c linux-2.6.32.43/net/ipv4/inet_hashtables.c
71353 --- linux-2.6.32.43/net/ipv4/inet_hashtables.c 2011-03-27 14:31:47.000000000 -0400
71354 +++ linux-2.6.32.43/net/ipv4/inet_hashtables.c 2011-04-17 15:56:46.000000000 -0400
71355 @@ -18,11 +18,14 @@
71356 #include <linux/sched.h>
71357 #include <linux/slab.h>
71358 #include <linux/wait.h>
71359 +#include <linux/security.h>
71361 #include <net/inet_connection_sock.h>
71362 #include <net/inet_hashtables.h>
71363 #include <net/ip.h>
71365 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
71368 * Allocate and initialize a new local port bind bucket.
71369 * The bindhash mutex for snum's hash chain must be held here.
71370 @@ -490,6 +493,8 @@ ok:
71372 spin_unlock(&head->lock);
71374 + gr_update_task_in_ip_table(current, inet_sk(sk));
71377 inet_twsk_deschedule(tw, death_row);
71379 diff -urNp linux-2.6.32.43/net/ipv4/inetpeer.c linux-2.6.32.43/net/ipv4/inetpeer.c
71380 --- linux-2.6.32.43/net/ipv4/inetpeer.c 2011-03-27 14:31:47.000000000 -0400
71381 +++ linux-2.6.32.43/net/ipv4/inetpeer.c 2011-05-16 21:46:57.000000000 -0400
71382 @@ -366,6 +366,8 @@ struct inet_peer *inet_getpeer(__be32 da
71383 struct inet_peer *p, *n;
71384 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
71386 + pax_track_stack();
71388 /* Look up for the address quickly. */
71389 read_lock_bh(&peer_pool_lock);
71390 p = lookup(daddr, NULL);
71391 @@ -389,7 +391,7 @@ struct inet_peer *inet_getpeer(__be32 da
71393 n->v4daddr = daddr;
71394 atomic_set(&n->refcnt, 1);
71395 - atomic_set(&n->rid, 0);
71396 + atomic_set_unchecked(&n->rid, 0);
71397 n->ip_id_count = secure_ip_id(daddr);
71398 n->tcp_ts_stamp = 0;
71400 diff -urNp linux-2.6.32.43/net/ipv4/ip_fragment.c linux-2.6.32.43/net/ipv4/ip_fragment.c
71401 --- linux-2.6.32.43/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400
71402 +++ linux-2.6.32.43/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400
71403 @@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
71407 - end = atomic_inc_return(&peer->rid);
71408 + end = atomic_inc_return_unchecked(&peer->rid);
71411 rc = qp->q.fragments && (end - start) > max;
71412 diff -urNp linux-2.6.32.43/net/ipv4/ip_sockglue.c linux-2.6.32.43/net/ipv4/ip_sockglue.c
71413 --- linux-2.6.32.43/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400
71414 +++ linux-2.6.32.43/net/ipv4/ip_sockglue.c 2011-05-16 21:46:57.000000000 -0400
71415 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
71419 + pax_track_stack();
71421 if (level != SOL_IP)
71422 return -EOPNOTSUPP;
71424 diff -urNp linux-2.6.32.43/net/ipv4/netfilter/arp_tables.c linux-2.6.32.43/net/ipv4/netfilter/arp_tables.c
71425 --- linux-2.6.32.43/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400
71426 +++ linux-2.6.32.43/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400
71427 @@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
71431 + memset(&info, 0, sizeof(info));
71432 info.valid_hooks = t->valid_hooks;
71433 memcpy(info.hook_entry, private->hook_entry,
71434 sizeof(info.hook_entry));
71435 diff -urNp linux-2.6.32.43/net/ipv4/netfilter/ip_tables.c linux-2.6.32.43/net/ipv4/netfilter/ip_tables.c
71436 --- linux-2.6.32.43/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400
71437 +++ linux-2.6.32.43/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400
71438 @@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
71442 + memset(&info, 0, sizeof(info));
71443 info.valid_hooks = t->valid_hooks;
71444 memcpy(info.hook_entry, private->hook_entry,
71445 sizeof(info.hook_entry));
71446 diff -urNp linux-2.6.32.43/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.43/net/ipv4/netfilter/nf_nat_snmp_basic.c
71447 --- linux-2.6.32.43/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-27 14:31:47.000000000 -0400
71448 +++ linux-2.6.32.43/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:56:46.000000000 -0400
71449 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
71453 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
71454 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
71455 if (*octets == NULL) {
71456 if (net_ratelimit())
71457 printk("OOM in bsalg (%d)\n", __LINE__);
71458 diff -urNp linux-2.6.32.43/net/ipv4/raw.c linux-2.6.32.43/net/ipv4/raw.c
71459 --- linux-2.6.32.43/net/ipv4/raw.c 2011-03-27 14:31:47.000000000 -0400
71460 +++ linux-2.6.32.43/net/ipv4/raw.c 2011-05-04 17:59:08.000000000 -0400
71461 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
71462 /* Charge it to the socket. */
71464 if (sock_queue_rcv_skb(sk, skb) < 0) {
71465 - atomic_inc(&sk->sk_drops);
71466 + atomic_inc_unchecked(&sk->sk_drops);
71468 return NET_RX_DROP;
71470 @@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
71471 int raw_rcv(struct sock *sk, struct sk_buff *skb)
71473 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
71474 - atomic_inc(&sk->sk_drops);
71475 + atomic_inc_unchecked(&sk->sk_drops);
71477 return NET_RX_DROP;
71479 @@ -724,15 +724,22 @@ static int raw_init(struct sock *sk)
71481 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
71483 + struct icmp_filter filter;
71487 if (optlen > sizeof(struct icmp_filter))
71488 optlen = sizeof(struct icmp_filter);
71489 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
71490 + if (copy_from_user(&filter, optval, optlen))
71492 + memcpy(&raw_sk(sk)->filter, &filter, optlen);
71497 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
71499 + struct icmp_filter filter;
71500 int len, ret = -EFAULT;
71502 if (get_user(len, optlen))
71503 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
71504 if (len > sizeof(struct icmp_filter))
71505 len = sizeof(struct icmp_filter);
71507 + memcpy(&filter, &raw_sk(sk)->filter, len);
71508 if (put_user(len, optlen) ||
71509 - copy_to_user(optval, &raw_sk(sk)->filter, len))
71510 + copy_to_user(optval, &filter, len))
71514 @@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
71515 sk_wmem_alloc_get(sp),
71516 sk_rmem_alloc_get(sp),
71517 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
71518 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
71519 + atomic_read(&sp->sk_refcnt),
71520 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71525 + atomic_read_unchecked(&sp->sk_drops));
71528 static int raw_seq_show(struct seq_file *seq, void *v)
71529 diff -urNp linux-2.6.32.43/net/ipv4/route.c linux-2.6.32.43/net/ipv4/route.c
71530 --- linux-2.6.32.43/net/ipv4/route.c 2011-03-27 14:31:47.000000000 -0400
71531 +++ linux-2.6.32.43/net/ipv4/route.c 2011-05-04 17:56:28.000000000 -0400
71532 @@ -268,7 +268,7 @@ static inline unsigned int rt_hash(__be3
71534 static inline int rt_genid(struct net *net)
71536 - return atomic_read(&net->ipv4.rt_genid);
71537 + return atomic_read_unchecked(&net->ipv4.rt_genid);
71540 #ifdef CONFIG_PROC_FS
71541 @@ -888,7 +888,7 @@ static void rt_cache_invalidate(struct n
71542 unsigned char shuffle;
71544 get_random_bytes(&shuffle, sizeof(shuffle));
71545 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
71546 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
71550 @@ -3356,7 +3356,7 @@ static __net_initdata struct pernet_oper
71552 static __net_init int rt_secret_timer_init(struct net *net)
71554 - atomic_set(&net->ipv4.rt_genid,
71555 + atomic_set_unchecked(&net->ipv4.rt_genid,
71556 (int) ((num_physpages ^ (num_physpages>>8)) ^
71557 (jiffies ^ (jiffies >> 7))));
71559 diff -urNp linux-2.6.32.43/net/ipv4/tcp.c linux-2.6.32.43/net/ipv4/tcp.c
71560 --- linux-2.6.32.43/net/ipv4/tcp.c 2011-03-27 14:31:47.000000000 -0400
71561 +++ linux-2.6.32.43/net/ipv4/tcp.c 2011-05-16 21:46:57.000000000 -0400
71562 @@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
71566 + pax_track_stack();
71568 /* This is a string value all the others are int's */
71569 if (optname == TCP_CONGESTION) {
71570 char name[TCP_CA_NAME_MAX];
71571 @@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
71572 struct tcp_sock *tp = tcp_sk(sk);
71575 + pax_track_stack();
71577 if (get_user(len, optlen))
71580 diff -urNp linux-2.6.32.43/net/ipv4/tcp_ipv4.c linux-2.6.32.43/net/ipv4/tcp_ipv4.c
71581 --- linux-2.6.32.43/net/ipv4/tcp_ipv4.c 2011-03-27 14:31:47.000000000 -0400
71582 +++ linux-2.6.32.43/net/ipv4/tcp_ipv4.c 2011-08-05 20:33:55.000000000 -0400
71584 int sysctl_tcp_tw_reuse __read_mostly;
71585 int sysctl_tcp_low_latency __read_mostly;
71587 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71588 +extern int grsec_enable_blackhole;
71591 #ifdef CONFIG_TCP_MD5SIG
71592 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
71593 @@ -1542,6 +1545,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
71597 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71598 + if (!grsec_enable_blackhole)
71600 tcp_v4_send_reset(rsk, skb);
71603 @@ -1603,12 +1609,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
71604 TCP_SKB_CB(skb)->sacked = 0;
71606 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
71609 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71612 goto no_tcp_socket;
71616 - if (sk->sk_state == TCP_TIME_WAIT)
71617 + if (sk->sk_state == TCP_TIME_WAIT) {
71618 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71624 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
71625 goto discard_and_relse;
71626 @@ -1650,6 +1664,10 @@ no_tcp_socket:
71628 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
71630 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71631 + if (!grsec_enable_blackhole || (ret == 1 &&
71632 + (skb->dev->flags & IFF_LOOPBACK)))
71634 tcp_v4_send_reset(NULL, skb);
71637 @@ -2194,14 +2212,14 @@ int tcp_proc_register(struct net *net, s
71639 struct proc_dir_entry *p;
71641 - afinfo->seq_fops.open = tcp_seq_open;
71642 - afinfo->seq_fops.read = seq_read;
71643 - afinfo->seq_fops.llseek = seq_lseek;
71644 - afinfo->seq_fops.release = seq_release_net;
71646 - afinfo->seq_ops.start = tcp_seq_start;
71647 - afinfo->seq_ops.next = tcp_seq_next;
71648 - afinfo->seq_ops.stop = tcp_seq_stop;
71649 + *(void **)&afinfo->seq_fops.open = tcp_seq_open;
71650 + *(void **)&afinfo->seq_fops.read = seq_read;
71651 + *(void **)&afinfo->seq_fops.llseek = seq_lseek;
71652 + *(void **)&afinfo->seq_fops.release = seq_release_net;
71654 + *(void **)&afinfo->seq_ops.start = tcp_seq_start;
71655 + *(void **)&afinfo->seq_ops.next = tcp_seq_next;
71656 + *(void **)&afinfo->seq_ops.stop = tcp_seq_stop;
71658 p = proc_create_data(afinfo->name, S_IRUGO, net->proc_net,
71659 &afinfo->seq_fops, afinfo);
71660 @@ -2237,7 +2255,11 @@ static void get_openreq4(struct sock *sk
71661 0, /* non standard timer */
71662 0, /* open_requests have no inode */
71663 atomic_read(&sk->sk_refcnt),
71664 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71672 @@ -2279,7 +2301,12 @@ static void get_tcp4_sock(struct sock *s
71674 icsk->icsk_probes_out,
71676 - atomic_read(&sk->sk_refcnt), sk,
71677 + atomic_read(&sk->sk_refcnt),
71678 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71683 jiffies_to_clock_t(icsk->icsk_rto),
71684 jiffies_to_clock_t(icsk->icsk_ack.ato),
71685 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
71686 @@ -2307,7 +2334,13 @@ static void get_timewait4_sock(struct in
71687 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
71688 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
71689 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
71690 - atomic_read(&tw->tw_refcnt), tw, len);
71691 + atomic_read(&tw->tw_refcnt),
71692 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71701 diff -urNp linux-2.6.32.43/net/ipv4/tcp_minisocks.c linux-2.6.32.43/net/ipv4/tcp_minisocks.c
71702 --- linux-2.6.32.43/net/ipv4/tcp_minisocks.c 2011-03-27 14:31:47.000000000 -0400
71703 +++ linux-2.6.32.43/net/ipv4/tcp_minisocks.c 2011-04-17 15:56:46.000000000 -0400
71705 #include <net/inet_common.h>
71706 #include <net/xfrm.h>
71708 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71709 +extern int grsec_enable_blackhole;
71712 #ifdef CONFIG_SYSCTL
71713 #define SYNC_INIT 0 /* let the user enable it */
71715 @@ -672,6 +676,10 @@ listen_overflow:
71718 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
71720 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71721 + if (!grsec_enable_blackhole)
71723 if (!(flg & TCP_FLAG_RST))
71724 req->rsk_ops->send_reset(sk, skb);
71726 diff -urNp linux-2.6.32.43/net/ipv4/tcp_output.c linux-2.6.32.43/net/ipv4/tcp_output.c
71727 --- linux-2.6.32.43/net/ipv4/tcp_output.c 2011-03-27 14:31:47.000000000 -0400
71728 +++ linux-2.6.32.43/net/ipv4/tcp_output.c 2011-05-16 21:46:57.000000000 -0400
71729 @@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
71730 __u8 *md5_hash_location;
71733 + pax_track_stack();
71735 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
71738 diff -urNp linux-2.6.32.43/net/ipv4/tcp_probe.c linux-2.6.32.43/net/ipv4/tcp_probe.c
71739 --- linux-2.6.32.43/net/ipv4/tcp_probe.c 2011-03-27 14:31:47.000000000 -0400
71740 +++ linux-2.6.32.43/net/ipv4/tcp_probe.c 2011-04-17 15:56:46.000000000 -0400
71741 @@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
71742 if (cnt + width >= len)
71745 - if (copy_to_user(buf + cnt, tbuf, width))
71746 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
71750 diff -urNp linux-2.6.32.43/net/ipv4/tcp_timer.c linux-2.6.32.43/net/ipv4/tcp_timer.c
71751 --- linux-2.6.32.43/net/ipv4/tcp_timer.c 2011-03-27 14:31:47.000000000 -0400
71752 +++ linux-2.6.32.43/net/ipv4/tcp_timer.c 2011-04-17 15:56:46.000000000 -0400
71754 #include <linux/module.h>
71755 #include <net/tcp.h>
71757 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71758 +extern int grsec_lastack_retries;
71761 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
71762 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
71763 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
71764 @@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
71768 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71769 + if ((sk->sk_state == TCP_LAST_ACK) &&
71770 + (grsec_lastack_retries > 0) &&
71771 + (grsec_lastack_retries < retry_until))
71772 + retry_until = grsec_lastack_retries;
71775 if (retransmits_timed_out(sk, retry_until)) {
71776 /* Has it gone just too far? */
71778 diff -urNp linux-2.6.32.43/net/ipv4/udp.c linux-2.6.32.43/net/ipv4/udp.c
71779 --- linux-2.6.32.43/net/ipv4/udp.c 2011-07-13 17:23:04.000000000 -0400
71780 +++ linux-2.6.32.43/net/ipv4/udp.c 2011-08-05 20:33:55.000000000 -0400
71782 #include <linux/types.h>
71783 #include <linux/fcntl.h>
71784 #include <linux/module.h>
71785 +#include <linux/security.h>
71786 #include <linux/socket.h>
71787 #include <linux/sockios.h>
71788 #include <linux/igmp.h>
71789 @@ -106,6 +107,10 @@
71790 #include <net/xfrm.h>
71791 #include "udp_impl.h"
71793 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71794 +extern int grsec_enable_blackhole;
71797 struct udp_table udp_table;
71798 EXPORT_SYMBOL(udp_table);
71800 @@ -371,6 +376,9 @@ found:
71804 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
71805 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
71808 * This routine is called by the ICMP module when it gets some
71809 * sort of error condition. If err < 0 then the socket should
71810 @@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
71811 dport = usin->sin_port;
71815 + err = gr_search_udp_sendmsg(sk, usin);
71819 if (sk->sk_state != TCP_ESTABLISHED)
71820 return -EDESTADDRREQ;
71822 + err = gr_search_udp_sendmsg(sk, NULL);
71826 daddr = inet->daddr;
71827 dport = inet->dport;
71828 /* Open fast path for connected socket.
71829 @@ -945,6 +962,10 @@ try_again:
71833 + err = gr_search_udp_recvmsg(sk, skb);
71837 ulen = skb->len - sizeof(struct udphdr);
71840 @@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
71841 if (rc == -ENOMEM) {
71842 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
71844 - atomic_inc(&sk->sk_drops);
71845 + atomic_inc_unchecked(&sk->sk_drops);
71849 @@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
71852 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
71853 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
71854 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
71856 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
71859 @@ -1719,14 +1743,14 @@ int udp_proc_register(struct net *net, s
71860 struct proc_dir_entry *p;
71863 - afinfo->seq_fops.open = udp_seq_open;
71864 - afinfo->seq_fops.read = seq_read;
71865 - afinfo->seq_fops.llseek = seq_lseek;
71866 - afinfo->seq_fops.release = seq_release_net;
71868 - afinfo->seq_ops.start = udp_seq_start;
71869 - afinfo->seq_ops.next = udp_seq_next;
71870 - afinfo->seq_ops.stop = udp_seq_stop;
71871 + *(void **)&afinfo->seq_fops.open = udp_seq_open;
71872 + *(void **)&afinfo->seq_fops.read = seq_read;
71873 + *(void **)&afinfo->seq_fops.llseek = seq_lseek;
71874 + *(void **)&afinfo->seq_fops.release = seq_release_net;
71876 + *(void **)&afinfo->seq_ops.start = udp_seq_start;
71877 + *(void **)&afinfo->seq_ops.next = udp_seq_next;
71878 + *(void **)&afinfo->seq_ops.stop = udp_seq_stop;
71880 p = proc_create_data(afinfo->name, S_IRUGO, net->proc_net,
71881 &afinfo->seq_fops, afinfo);
71882 @@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
71883 sk_wmem_alloc_get(sp),
71884 sk_rmem_alloc_get(sp),
71885 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
71886 - atomic_read(&sp->sk_refcnt), sp,
71887 - atomic_read(&sp->sk_drops), len);
71888 + atomic_read(&sp->sk_refcnt),
71889 +#ifdef CONFIG_GRKERNSEC_HIDESYM
71894 + atomic_read_unchecked(&sp->sk_drops), len);
71897 int udp4_seq_show(struct seq_file *seq, void *v)
71898 diff -urNp linux-2.6.32.43/net/ipv6/inet6_connection_sock.c linux-2.6.32.43/net/ipv6/inet6_connection_sock.c
71899 --- linux-2.6.32.43/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400
71900 +++ linux-2.6.32.43/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400
71901 @@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
71904 struct rt6_info *rt = (struct rt6_info *)dst;
71905 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
71906 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
71910 @@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
71913 struct rt6_info *rt = (struct rt6_info *)dst;
71914 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
71915 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
71916 sk->sk_dst_cache = NULL;
71919 diff -urNp linux-2.6.32.43/net/ipv6/inet6_hashtables.c linux-2.6.32.43/net/ipv6/inet6_hashtables.c
71920 --- linux-2.6.32.43/net/ipv6/inet6_hashtables.c 2011-03-27 14:31:47.000000000 -0400
71921 +++ linux-2.6.32.43/net/ipv6/inet6_hashtables.c 2011-05-04 17:56:28.000000000 -0400
71922 @@ -118,7 +118,7 @@ out:
71924 EXPORT_SYMBOL(__inet6_lookup_established);
71926 -static int inline compute_score(struct sock *sk, struct net *net,
71927 +static inline int compute_score(struct sock *sk, struct net *net,
71928 const unsigned short hnum,
71929 const struct in6_addr *daddr,
71931 diff -urNp linux-2.6.32.43/net/ipv6/ipv6_sockglue.c linux-2.6.32.43/net/ipv6/ipv6_sockglue.c
71932 --- linux-2.6.32.43/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400
71933 +++ linux-2.6.32.43/net/ipv6/ipv6_sockglue.c 2011-05-16 21:46:57.000000000 -0400
71934 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
71936 int retv = -ENOPROTOOPT;
71938 + pax_track_stack();
71940 if (optval == NULL)
71943 @@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
71947 + pax_track_stack();
71949 if (ip6_mroute_opt(optname))
71950 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
71952 diff -urNp linux-2.6.32.43/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.43/net/ipv6/netfilter/ip6_tables.c
71953 --- linux-2.6.32.43/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400
71954 +++ linux-2.6.32.43/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400
71955 @@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
71959 + memset(&info, 0, sizeof(info));
71960 info.valid_hooks = t->valid_hooks;
71961 memcpy(info.hook_entry, private->hook_entry,
71962 sizeof(info.hook_entry));
71963 diff -urNp linux-2.6.32.43/net/ipv6/raw.c linux-2.6.32.43/net/ipv6/raw.c
71964 --- linux-2.6.32.43/net/ipv6/raw.c 2011-03-27 14:31:47.000000000 -0400
71965 +++ linux-2.6.32.43/net/ipv6/raw.c 2011-05-16 21:46:57.000000000 -0400
71966 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
71968 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
71969 skb_checksum_complete(skb)) {
71970 - atomic_inc(&sk->sk_drops);
71971 + atomic_inc_unchecked(&sk->sk_drops);
71973 return NET_RX_DROP;
71976 /* Charge it to the socket. */
71977 if (sock_queue_rcv_skb(sk,skb)<0) {
71978 - atomic_inc(&sk->sk_drops);
71979 + atomic_inc_unchecked(&sk->sk_drops);
71981 return NET_RX_DROP;
71983 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
71984 struct raw6_sock *rp = raw6_sk(sk);
71986 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
71987 - atomic_inc(&sk->sk_drops);
71988 + atomic_inc_unchecked(&sk->sk_drops);
71990 return NET_RX_DROP;
71992 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
71994 if (inet->hdrincl) {
71995 if (skb_checksum_complete(skb)) {
71996 - atomic_inc(&sk->sk_drops);
71997 + atomic_inc_unchecked(&sk->sk_drops);
71999 return NET_RX_DROP;
72001 @@ -518,7 +518,7 @@ csum_copy_err:
72002 as some normal condition.
72004 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
72005 - atomic_inc(&sk->sk_drops);
72006 + atomic_inc_unchecked(&sk->sk_drops);
72010 @@ -600,7 +600,7 @@ out:
72014 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
72015 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
72016 struct flowi *fl, struct rt6_info *rt,
72017 unsigned int flags)
72019 @@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
72023 + pax_track_stack();
72025 /* Rough check on arithmetic overflow,
72026 better check is made in ip6_append_data().
72028 @@ -916,12 +918,17 @@ do_confirm:
72029 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
72030 char __user *optval, int optlen)
72032 + struct icmp6_filter filter;
72035 case ICMPV6_FILTER:
72038 if (optlen > sizeof(struct icmp6_filter))
72039 optlen = sizeof(struct icmp6_filter);
72040 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
72041 + if (copy_from_user(&filter, optval, optlen))
72043 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
72046 return -ENOPROTOOPT;
72047 @@ -933,6 +940,7 @@ static int rawv6_seticmpfilter(struct so
72048 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
72049 char __user *optval, int __user *optlen)
72051 + struct icmp6_filter filter;
72055 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
72056 len = sizeof(struct icmp6_filter);
72057 if (put_user(len, optlen))
72059 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
72060 + memcpy(&filter, &raw6_sk(sk)->filter, len);
72061 + if (copy_to_user(optval, &filter, len))
72065 @@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
72069 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
72070 + atomic_read(&sp->sk_refcnt),
72071 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72076 + atomic_read_unchecked(&sp->sk_drops));
72079 static int raw6_seq_show(struct seq_file *seq, void *v)
72080 diff -urNp linux-2.6.32.43/net/ipv6/tcp_ipv6.c linux-2.6.32.43/net/ipv6/tcp_ipv6.c
72081 --- linux-2.6.32.43/net/ipv6/tcp_ipv6.c 2011-03-27 14:31:47.000000000 -0400
72082 +++ linux-2.6.32.43/net/ipv6/tcp_ipv6.c 2011-04-17 15:56:46.000000000 -0400
72083 @@ -88,6 +88,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
72087 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72088 +extern int grsec_enable_blackhole;
72091 static void tcp_v6_hash(struct sock *sk)
72093 if (sk->sk_state != TCP_CLOSE) {
72094 @@ -1578,6 +1582,9 @@ static int tcp_v6_do_rcv(struct sock *sk
72098 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72099 + if (!grsec_enable_blackhole)
72101 tcp_v6_send_reset(sk, skb);
72104 @@ -1655,12 +1662,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
72105 TCP_SKB_CB(skb)->sacked = 0;
72107 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
72110 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72113 goto no_tcp_socket;
72117 - if (sk->sk_state == TCP_TIME_WAIT)
72118 + if (sk->sk_state == TCP_TIME_WAIT) {
72119 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72125 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
72126 goto discard_and_relse;
72127 @@ -1700,6 +1715,10 @@ no_tcp_socket:
72129 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
72131 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72132 + if (!grsec_enable_blackhole || (ret == 1 &&
72133 + (skb->dev->flags & IFF_LOOPBACK)))
72135 tcp_v6_send_reset(NULL, skb);
72138 @@ -1915,7 +1934,13 @@ static void get_openreq6(struct seq_file
72140 0, /* non standard timer */
72141 0, /* open_requests have no inode */
72144 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72152 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
72153 @@ -1965,7 +1990,12 @@ static void get_tcp6_sock(struct seq_fil
72155 icsk->icsk_probes_out,
72157 - atomic_read(&sp->sk_refcnt), sp,
72158 + atomic_read(&sp->sk_refcnt),
72159 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72164 jiffies_to_clock_t(icsk->icsk_rto),
72165 jiffies_to_clock_t(icsk->icsk_ack.ato),
72166 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
72167 @@ -2000,7 +2030,13 @@ static void get_timewait6_sock(struct se
72168 dest->s6_addr32[2], dest->s6_addr32[3], destp,
72169 tw->tw_substate, 0, 0,
72170 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
72171 - atomic_read(&tw->tw_refcnt), tw);
72172 + atomic_read(&tw->tw_refcnt),
72173 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72181 static int tcp6_seq_show(struct seq_file *seq, void *v)
72182 diff -urNp linux-2.6.32.43/net/ipv6/udp.c linux-2.6.32.43/net/ipv6/udp.c
72183 --- linux-2.6.32.43/net/ipv6/udp.c 2011-07-13 17:23:04.000000000 -0400
72184 +++ linux-2.6.32.43/net/ipv6/udp.c 2011-07-13 17:23:27.000000000 -0400
72186 #include <linux/seq_file.h>
72187 #include "udp_impl.h"
72189 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72190 +extern int grsec_enable_blackhole;
72193 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
72195 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
72196 @@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
72197 if (rc == -ENOMEM) {
72198 UDP6_INC_STATS_BH(sock_net(sk),
72199 UDP_MIB_RCVBUFERRORS, is_udplite);
72200 - atomic_inc(&sk->sk_drops);
72201 + atomic_inc_unchecked(&sk->sk_drops);
72205 @@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
72206 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
72207 proto == IPPROTO_UDPLITE);
72209 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
72210 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
72212 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
72215 @@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
72219 - atomic_read(&sp->sk_refcnt), sp,
72220 - atomic_read(&sp->sk_drops));
72221 + atomic_read(&sp->sk_refcnt),
72222 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72227 + atomic_read_unchecked(&sp->sk_drops));
72230 int udp6_seq_show(struct seq_file *seq, void *v)
72231 diff -urNp linux-2.6.32.43/net/irda/ircomm/ircomm_tty.c linux-2.6.32.43/net/irda/ircomm/ircomm_tty.c
72232 --- linux-2.6.32.43/net/irda/ircomm/ircomm_tty.c 2011-03-27 14:31:47.000000000 -0400
72233 +++ linux-2.6.32.43/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:56:46.000000000 -0400
72234 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
72235 add_wait_queue(&self->open_wait, &wait);
72237 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
72238 - __FILE__,__LINE__, tty->driver->name, self->open_count );
72239 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
72241 /* As far as I can see, we protect open_count - Jean II */
72242 spin_lock_irqsave(&self->spinlock, flags);
72243 if (!tty_hung_up_p(filp)) {
72245 - self->open_count--;
72246 + local_dec(&self->open_count);
72248 spin_unlock_irqrestore(&self->spinlock, flags);
72249 - self->blocked_open++;
72250 + local_inc(&self->blocked_open);
72253 if (tty->termios->c_cflag & CBAUD) {
72254 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
72257 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
72258 - __FILE__,__LINE__, tty->driver->name, self->open_count );
72259 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
72263 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
72265 /* ++ is not atomic, so this should be protected - Jean II */
72266 spin_lock_irqsave(&self->spinlock, flags);
72267 - self->open_count++;
72268 + local_inc(&self->open_count);
72269 spin_unlock_irqrestore(&self->spinlock, flags);
72271 - self->blocked_open--;
72272 + local_dec(&self->blocked_open);
72274 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
72275 - __FILE__,__LINE__, tty->driver->name, self->open_count);
72276 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
72279 self->flags |= ASYNC_NORMAL_ACTIVE;
72280 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
72282 /* ++ is not atomic, so this should be protected - Jean II */
72283 spin_lock_irqsave(&self->spinlock, flags);
72284 - self->open_count++;
72285 + local_inc(&self->open_count);
72287 tty->driver_data = self;
72289 spin_unlock_irqrestore(&self->spinlock, flags);
72291 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
72292 - self->line, self->open_count);
72293 + self->line, local_read(&self->open_count));
72295 /* Not really used by us, but lets do it anyway */
72296 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
72297 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
72301 - if ((tty->count == 1) && (self->open_count != 1)) {
72302 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
72304 * Uh, oh. tty->count is 1, which means that the tty
72305 * structure will be freed. state->count should always
72306 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
72308 IRDA_DEBUG(0, "%s(), bad serial port count; "
72309 "tty->count is 1, state->count is %d\n", __func__ ,
72310 - self->open_count);
72311 - self->open_count = 1;
72312 + local_read(&self->open_count));
72313 + local_set(&self->open_count, 1);
72316 - if (--self->open_count < 0) {
72317 + if (local_dec_return(&self->open_count) < 0) {
72318 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
72319 - __func__, self->line, self->open_count);
72320 - self->open_count = 0;
72321 + __func__, self->line, local_read(&self->open_count));
72322 + local_set(&self->open_count, 0);
72324 - if (self->open_count) {
72325 + if (local_read(&self->open_count)) {
72326 spin_unlock_irqrestore(&self->spinlock, flags);
72328 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
72329 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
72333 - if (self->blocked_open) {
72334 + if (local_read(&self->blocked_open)) {
72335 if (self->close_delay)
72336 schedule_timeout_interruptible(self->close_delay);
72337 wake_up_interruptible(&self->open_wait);
72338 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
72339 spin_lock_irqsave(&self->spinlock, flags);
72340 self->flags &= ~ASYNC_NORMAL_ACTIVE;
72342 - self->open_count = 0;
72343 + local_set(&self->open_count, 0);
72344 spin_unlock_irqrestore(&self->spinlock, flags);
72346 wake_up_interruptible(&self->open_wait);
72347 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
72350 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
72351 - seq_printf(m, "Open count: %d\n", self->open_count);
72352 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
72353 seq_printf(m, "Max data size: %d\n", self->max_data_size);
72354 seq_printf(m, "Max header size: %d\n", self->max_header_size);
72356 diff -urNp linux-2.6.32.43/net/iucv/af_iucv.c linux-2.6.32.43/net/iucv/af_iucv.c
72357 --- linux-2.6.32.43/net/iucv/af_iucv.c 2011-03-27 14:31:47.000000000 -0400
72358 +++ linux-2.6.32.43/net/iucv/af_iucv.c 2011-05-04 17:56:28.000000000 -0400
72359 @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
72361 write_lock_bh(&iucv_sk_list.lock);
72363 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
72364 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
72365 while (__iucv_get_sock_by_name(name)) {
72366 sprintf(name, "%08x",
72367 - atomic_inc_return(&iucv_sk_list.autobind_name));
72368 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
72371 write_unlock_bh(&iucv_sk_list.lock);
72372 diff -urNp linux-2.6.32.43/net/key/af_key.c linux-2.6.32.43/net/key/af_key.c
72373 --- linux-2.6.32.43/net/key/af_key.c 2011-03-27 14:31:47.000000000 -0400
72374 +++ linux-2.6.32.43/net/key/af_key.c 2011-05-16 21:46:57.000000000 -0400
72375 @@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
72376 struct xfrm_migrate m[XFRM_MAX_DEPTH];
72377 struct xfrm_kmaddress k;
72379 + pax_track_stack();
72381 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
72382 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
72383 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
72384 @@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
72385 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
72387 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
72388 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72393 atomic_read(&s->sk_refcnt),
72394 sk_rmem_alloc_get(s),
72395 sk_wmem_alloc_get(s),
72396 diff -urNp linux-2.6.32.43/net/lapb/lapb_iface.c linux-2.6.32.43/net/lapb/lapb_iface.c
72397 --- linux-2.6.32.43/net/lapb/lapb_iface.c 2011-03-27 14:31:47.000000000 -0400
72398 +++ linux-2.6.32.43/net/lapb/lapb_iface.c 2011-08-05 20:33:55.000000000 -0400
72399 @@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
72403 - lapb->callbacks = *callbacks;
72404 + lapb->callbacks = callbacks;
72406 __lapb_insert_cb(lapb);
72408 @@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
72410 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
72412 - if (lapb->callbacks.connect_confirmation)
72413 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
72414 + if (lapb->callbacks->connect_confirmation)
72415 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
72418 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
72420 - if (lapb->callbacks.connect_indication)
72421 - lapb->callbacks.connect_indication(lapb->dev, reason);
72422 + if (lapb->callbacks->connect_indication)
72423 + lapb->callbacks->connect_indication(lapb->dev, reason);
72426 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
72428 - if (lapb->callbacks.disconnect_confirmation)
72429 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
72430 + if (lapb->callbacks->disconnect_confirmation)
72431 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
72434 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
72436 - if (lapb->callbacks.disconnect_indication)
72437 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
72438 + if (lapb->callbacks->disconnect_indication)
72439 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
72442 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
72444 - if (lapb->callbacks.data_indication)
72445 - return lapb->callbacks.data_indication(lapb->dev, skb);
72446 + if (lapb->callbacks->data_indication)
72447 + return lapb->callbacks->data_indication(lapb->dev, skb);
72450 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
72451 @@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
72455 - if (lapb->callbacks.data_transmit) {
72456 - lapb->callbacks.data_transmit(lapb->dev, skb);
72457 + if (lapb->callbacks->data_transmit) {
72458 + lapb->callbacks->data_transmit(lapb->dev, skb);
72462 diff -urNp linux-2.6.32.43/net/mac80211/cfg.c linux-2.6.32.43/net/mac80211/cfg.c
72463 --- linux-2.6.32.43/net/mac80211/cfg.c 2011-03-27 14:31:47.000000000 -0400
72464 +++ linux-2.6.32.43/net/mac80211/cfg.c 2011-04-17 15:56:46.000000000 -0400
72465 @@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
72469 -struct cfg80211_ops mac80211_config_ops = {
72470 +const struct cfg80211_ops mac80211_config_ops = {
72471 .add_virtual_intf = ieee80211_add_iface,
72472 .del_virtual_intf = ieee80211_del_iface,
72473 .change_virtual_intf = ieee80211_change_iface,
72474 diff -urNp linux-2.6.32.43/net/mac80211/cfg.h linux-2.6.32.43/net/mac80211/cfg.h
72475 --- linux-2.6.32.43/net/mac80211/cfg.h 2011-03-27 14:31:47.000000000 -0400
72476 +++ linux-2.6.32.43/net/mac80211/cfg.h 2011-04-17 15:56:46.000000000 -0400
72481 -extern struct cfg80211_ops mac80211_config_ops;
72482 +extern const struct cfg80211_ops mac80211_config_ops;
72484 #endif /* __CFG_H */
72485 diff -urNp linux-2.6.32.43/net/mac80211/debugfs_key.c linux-2.6.32.43/net/mac80211/debugfs_key.c
72486 --- linux-2.6.32.43/net/mac80211/debugfs_key.c 2011-03-27 14:31:47.000000000 -0400
72487 +++ linux-2.6.32.43/net/mac80211/debugfs_key.c 2011-04-17 15:56:46.000000000 -0400
72488 @@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
72489 size_t count, loff_t *ppos)
72491 struct ieee80211_key *key = file->private_data;
72492 - int i, res, bufsize = 2 * key->conf.keylen + 2;
72493 + int i, bufsize = 2 * key->conf.keylen + 2;
72494 char *buf = kmalloc(bufsize, GFP_KERNEL);
72501 for (i = 0; i < key->conf.keylen; i++)
72502 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
72503 diff -urNp linux-2.6.32.43/net/mac80211/debugfs_sta.c linux-2.6.32.43/net/mac80211/debugfs_sta.c
72504 --- linux-2.6.32.43/net/mac80211/debugfs_sta.c 2011-03-27 14:31:47.000000000 -0400
72505 +++ linux-2.6.32.43/net/mac80211/debugfs_sta.c 2011-05-16 21:46:57.000000000 -0400
72506 @@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
72508 struct sta_info *sta = file->private_data;
72510 + pax_track_stack();
72512 spin_lock_bh(&sta->lock);
72513 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
72514 sta->ampdu_mlme.dialog_token_allocator + 1);
72515 diff -urNp linux-2.6.32.43/net/mac80211/ieee80211_i.h linux-2.6.32.43/net/mac80211/ieee80211_i.h
72516 --- linux-2.6.32.43/net/mac80211/ieee80211_i.h 2011-03-27 14:31:47.000000000 -0400
72517 +++ linux-2.6.32.43/net/mac80211/ieee80211_i.h 2011-04-17 15:56:46.000000000 -0400
72519 #include <linux/etherdevice.h>
72520 #include <net/cfg80211.h>
72521 #include <net/mac80211.h>
72522 +#include <asm/local.h>
72524 #include "sta_info.h"
72526 @@ -635,7 +636,7 @@ struct ieee80211_local {
72527 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
72528 spinlock_t queue_stop_reason_lock;
72531 + local_t open_count;
72532 int monitors, cooked_mntrs;
72533 /* number of interfaces with corresponding FIF_ flags */
72534 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
72535 diff -urNp linux-2.6.32.43/net/mac80211/iface.c linux-2.6.32.43/net/mac80211/iface.c
72536 --- linux-2.6.32.43/net/mac80211/iface.c 2011-03-27 14:31:47.000000000 -0400
72537 +++ linux-2.6.32.43/net/mac80211/iface.c 2011-04-17 15:56:46.000000000 -0400
72538 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
72542 - if (local->open_count == 0) {
72543 + if (local_read(&local->open_count) == 0) {
72544 res = drv_start(local);
72547 @@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
72548 * Validate the MAC address for this device.
72550 if (!is_valid_ether_addr(dev->dev_addr)) {
72551 - if (!local->open_count)
72552 + if (!local_read(&local->open_count))
72554 return -EADDRNOTAVAIL;
72556 @@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
72558 hw_reconf_flags |= __ieee80211_recalc_idle(local);
72560 - local->open_count++;
72561 + local_inc(&local->open_count);
72562 if (hw_reconf_flags) {
72563 ieee80211_hw_config(local, hw_reconf_flags);
72565 @@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
72567 drv_remove_interface(local, &conf);
72569 - if (!local->open_count)
72570 + if (!local_read(&local->open_count))
72574 @@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
72575 WARN_ON(!list_empty(&sdata->u.ap.vlans));
72578 - local->open_count--;
72579 + local_dec(&local->open_count);
72581 switch (sdata->vif.type) {
72582 case NL80211_IFTYPE_AP_VLAN:
72583 @@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
72585 ieee80211_recalc_ps(local, -1);
72587 - if (local->open_count == 0) {
72588 + if (local_read(&local->open_count) == 0) {
72589 ieee80211_clear_tx_pending(local);
72590 ieee80211_stop_device(local);
72592 diff -urNp linux-2.6.32.43/net/mac80211/main.c linux-2.6.32.43/net/mac80211/main.c
72593 --- linux-2.6.32.43/net/mac80211/main.c 2011-05-10 22:12:02.000000000 -0400
72594 +++ linux-2.6.32.43/net/mac80211/main.c 2011-05-10 22:12:34.000000000 -0400
72595 @@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
72596 local->hw.conf.power_level = power;
72599 - if (changed && local->open_count) {
72600 + if (changed && local_read(&local->open_count)) {
72601 ret = drv_config(local, changed);
72604 diff -urNp linux-2.6.32.43/net/mac80211/mlme.c linux-2.6.32.43/net/mac80211/mlme.c
72605 --- linux-2.6.32.43/net/mac80211/mlme.c 2011-03-27 14:31:47.000000000 -0400
72606 +++ linux-2.6.32.43/net/mac80211/mlme.c 2011-05-16 21:46:57.000000000 -0400
72607 @@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
72608 bool have_higher_than_11mbit = false, newsta = false;
72609 u16 ap_ht_cap_flags;
72611 + pax_track_stack();
72614 * AssocResp and ReassocResp have identical structure, so process both
72615 * of them in this function.
72616 diff -urNp linux-2.6.32.43/net/mac80211/pm.c linux-2.6.32.43/net/mac80211/pm.c
72617 --- linux-2.6.32.43/net/mac80211/pm.c 2011-03-27 14:31:47.000000000 -0400
72618 +++ linux-2.6.32.43/net/mac80211/pm.c 2011-04-17 15:56:46.000000000 -0400
72619 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
72622 /* stop hardware - this must stop RX */
72623 - if (local->open_count)
72624 + if (local_read(&local->open_count))
72625 ieee80211_stop_device(local);
72627 local->suspended = true;
72628 diff -urNp linux-2.6.32.43/net/mac80211/rate.c linux-2.6.32.43/net/mac80211/rate.c
72629 --- linux-2.6.32.43/net/mac80211/rate.c 2011-03-27 14:31:47.000000000 -0400
72630 +++ linux-2.6.32.43/net/mac80211/rate.c 2011-04-17 15:56:46.000000000 -0400
72631 @@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
72632 struct rate_control_ref *ref, *old;
72635 - if (local->open_count)
72636 + if (local_read(&local->open_count))
72639 ref = rate_control_alloc(name, local);
72640 diff -urNp linux-2.6.32.43/net/mac80211/tx.c linux-2.6.32.43/net/mac80211/tx.c
72641 --- linux-2.6.32.43/net/mac80211/tx.c 2011-03-27 14:31:47.000000000 -0400
72642 +++ linux-2.6.32.43/net/mac80211/tx.c 2011-04-17 15:56:46.000000000 -0400
72643 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
72644 return cpu_to_le16(dur);
72647 -static int inline is_ieee80211_device(struct ieee80211_local *local,
72648 +static inline int is_ieee80211_device(struct ieee80211_local *local,
72649 struct net_device *dev)
72651 return local == wdev_priv(dev->ieee80211_ptr);
72652 diff -urNp linux-2.6.32.43/net/mac80211/util.c linux-2.6.32.43/net/mac80211/util.c
72653 --- linux-2.6.32.43/net/mac80211/util.c 2011-03-27 14:31:47.000000000 -0400
72654 +++ linux-2.6.32.43/net/mac80211/util.c 2011-04-17 15:56:46.000000000 -0400
72655 @@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
72656 local->resuming = true;
72658 /* restart hardware */
72659 - if (local->open_count) {
72660 + if (local_read(&local->open_count)) {
72662 * Upon resume hardware can sometimes be goofy due to
72663 * various platform / driver / bus issues, so restarting
72664 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_app.c
72665 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_app.c 2011-03-27 14:31:47.000000000 -0400
72666 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:26:34.000000000 -0400
72667 @@ -564,7 +564,7 @@ static const struct file_operations ip_v
72668 .open = ip_vs_app_open,
72670 .llseek = seq_lseek,
72671 - .release = seq_release,
72672 + .release = seq_release_net,
72676 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_conn.c
72677 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_conn.c 2011-03-27 14:31:47.000000000 -0400
72678 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:26:34.000000000 -0400
72679 @@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
72680 /* if the connection is not template and is created
72681 * by sync, preserve the activity flag.
72683 - cp->flags |= atomic_read(&dest->conn_flags) &
72684 + cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
72685 (~IP_VS_CONN_F_INACTIVE);
72687 - cp->flags |= atomic_read(&dest->conn_flags);
72688 + cp->flags |= atomic_read_unchecked(&dest->conn_flags);
72691 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
72692 @@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
72693 atomic_set(&cp->refcnt, 1);
72695 atomic_set(&cp->n_control, 0);
72696 - atomic_set(&cp->in_pkts, 0);
72697 + atomic_set_unchecked(&cp->in_pkts, 0);
72699 atomic_inc(&ip_vs_conn_count);
72700 if (flags & IP_VS_CONN_F_NO_CPORT)
72701 @@ -871,7 +871,7 @@ static const struct file_operations ip_v
72702 .open = ip_vs_conn_open,
72704 .llseek = seq_lseek,
72705 - .release = seq_release,
72706 + .release = seq_release_net,
72709 static const char *ip_vs_origin_name(unsigned flags)
72710 @@ -934,7 +934,7 @@ static const struct file_operations ip_v
72711 .open = ip_vs_conn_sync_open,
72713 .llseek = seq_lseek,
72714 - .release = seq_release,
72715 + .release = seq_release_net,
72719 @@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
72721 /* Don't drop the entry if its number of incoming packets is not
72722 located in [0, 8] */
72723 - i = atomic_read(&cp->in_pkts);
72724 + i = atomic_read_unchecked(&cp->in_pkts);
72725 if (i > 8 || i < 0) return 0;
72727 if (!todrop_rate[i]) return 0;
72728 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_core.c
72729 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_core.c 2011-03-27 14:31:47.000000000 -0400
72730 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_core.c 2011-05-04 17:56:28.000000000 -0400
72731 @@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
72732 ret = cp->packet_xmit(skb, cp, pp);
72733 /* do not touch skb anymore */
72735 - atomic_inc(&cp->in_pkts);
72736 + atomic_inc_unchecked(&cp->in_pkts);
72737 ip_vs_conn_put(cp);
72740 @@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
72741 * Sync connection if it is about to close to
72742 * encorage the standby servers to update the connections timeout
72744 - pkts = atomic_add_return(1, &cp->in_pkts);
72745 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
72746 if (af == AF_INET &&
72747 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
72748 (((cp->protocol != IPPROTO_TCP ||
72749 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_ctl.c
72750 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-27 14:31:47.000000000 -0400
72751 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:26:34.000000000 -0400
72752 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
72753 ip_vs_rs_hash(dest);
72754 write_unlock_bh(&__ip_vs_rs_lock);
72756 - atomic_set(&dest->conn_flags, conn_flags);
72757 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
72759 /* bind the service */
72761 @@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
72762 " %-7s %-6d %-10d %-10d\n",
72765 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
72766 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
72767 atomic_read(&dest->weight),
72768 atomic_read(&dest->activeconns),
72769 atomic_read(&dest->inactconns));
72770 @@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
72771 "%-7s %-6d %-10d %-10d\n",
72772 ntohl(dest->addr.ip),
72774 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
72775 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
72776 atomic_read(&dest->weight),
72777 atomic_read(&dest->activeconns),
72778 atomic_read(&dest->inactconns));
72779 @@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
72780 .open = ip_vs_info_open,
72782 .llseek = seq_lseek,
72783 - .release = seq_release_private,
72784 + .release = seq_release_net,
72788 @@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
72789 .open = ip_vs_stats_seq_open,
72791 .llseek = seq_lseek,
72792 - .release = single_release,
72793 + .release = single_release_net,
72797 @@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
72799 entry.addr = dest->addr.ip;
72800 entry.port = dest->port;
72801 - entry.conn_flags = atomic_read(&dest->conn_flags);
72802 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
72803 entry.weight = atomic_read(&dest->weight);
72804 entry.u_threshold = dest->u_threshold;
72805 entry.l_threshold = dest->l_threshold;
72806 @@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
72807 unsigned char arg[128];
72810 + pax_track_stack();
72812 if (!capable(CAP_NET_ADMIN))
72815 @@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
72816 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
72818 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
72819 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
72820 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
72821 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
72822 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
72823 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
72824 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_sync.c
72825 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_sync.c 2011-03-27 14:31:47.000000000 -0400
72826 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_sync.c 2011-05-04 17:56:28.000000000 -0400
72827 @@ -438,7 +438,7 @@ static void ip_vs_process_message(const
72830 memcpy(&cp->in_seq, opt, sizeof(*opt));
72831 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
72832 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
72834 cp->old_state = cp->state;
72836 diff -urNp linux-2.6.32.43/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.43/net/netfilter/ipvs/ip_vs_xmit.c
72837 --- linux-2.6.32.43/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-27 14:31:47.000000000 -0400
72838 +++ linux-2.6.32.43/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-04 17:56:28.000000000 -0400
72839 @@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
72842 /* do not touch skb anymore */
72843 - atomic_inc(&cp->in_pkts);
72844 + atomic_inc_unchecked(&cp->in_pkts);
72848 @@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
72851 /* do not touch skb anymore */
72852 - atomic_inc(&cp->in_pkts);
72853 + atomic_inc_unchecked(&cp->in_pkts);
72857 diff -urNp linux-2.6.32.43/net/netfilter/Kconfig linux-2.6.32.43/net/netfilter/Kconfig
72858 --- linux-2.6.32.43/net/netfilter/Kconfig 2011-03-27 14:31:47.000000000 -0400
72859 +++ linux-2.6.32.43/net/netfilter/Kconfig 2011-04-17 15:56:46.000000000 -0400
72860 @@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
72862 To compile it as a module, choose M here. If unsure, say N.
72864 +config NETFILTER_XT_MATCH_GRADM
72865 + tristate '"gradm" match support'
72866 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
72867 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
72869 + The gradm match allows to match on grsecurity RBAC being enabled.
72870 + It is useful when iptables rules are applied early on bootup to
72871 + prevent connections to the machine (except from a trusted host)
72872 + while the RBAC system is disabled.
72874 config NETFILTER_XT_MATCH_HASHLIMIT
72875 tristate '"hashlimit" match support'
72876 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
72877 diff -urNp linux-2.6.32.43/net/netfilter/Makefile linux-2.6.32.43/net/netfilter/Makefile
72878 --- linux-2.6.32.43/net/netfilter/Makefile 2011-03-27 14:31:47.000000000 -0400
72879 +++ linux-2.6.32.43/net/netfilter/Makefile 2011-04-17 15:56:46.000000000 -0400
72880 @@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
72881 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
72882 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
72883 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
72884 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
72885 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
72886 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
72887 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
72888 diff -urNp linux-2.6.32.43/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.43/net/netfilter/nf_conntrack_netlink.c
72889 --- linux-2.6.32.43/net/netfilter/nf_conntrack_netlink.c 2011-03-27 14:31:47.000000000 -0400
72890 +++ linux-2.6.32.43/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:56:46.000000000 -0400
72891 @@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
72893 ctnetlink_parse_tuple(const struct nlattr * const cda[],
72894 struct nf_conntrack_tuple *tuple,
72895 - enum ctattr_tuple type, u_int8_t l3num)
72896 + enum ctattr_type type, u_int8_t l3num)
72898 struct nlattr *tb[CTA_TUPLE_MAX+1];
72900 diff -urNp linux-2.6.32.43/net/netfilter/nfnetlink_log.c linux-2.6.32.43/net/netfilter/nfnetlink_log.c
72901 --- linux-2.6.32.43/net/netfilter/nfnetlink_log.c 2011-03-27 14:31:47.000000000 -0400
72902 +++ linux-2.6.32.43/net/netfilter/nfnetlink_log.c 2011-05-04 17:56:28.000000000 -0400
72903 @@ -68,7 +68,7 @@ struct nfulnl_instance {
72906 static DEFINE_RWLOCK(instances_lock);
72907 -static atomic_t global_seq;
72908 +static atomic_unchecked_t global_seq;
72910 #define INSTANCE_BUCKETS 16
72911 static struct hlist_head instance_table[INSTANCE_BUCKETS];
72912 @@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
72913 /* global sequence number */
72914 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
72915 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
72916 - htonl(atomic_inc_return(&global_seq)));
72917 + htonl(atomic_inc_return_unchecked(&global_seq)));
72920 struct nlattr *nla;
72921 diff -urNp linux-2.6.32.43/net/netfilter/xt_gradm.c linux-2.6.32.43/net/netfilter/xt_gradm.c
72922 --- linux-2.6.32.43/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
72923 +++ linux-2.6.32.43/net/netfilter/xt_gradm.c 2011-04-17 15:56:46.000000000 -0400
72926 + * gradm match for netfilter
72927 + * Copyright © Zbigniew Krzystolik, 2010
72929 + * This program is free software; you can redistribute it and/or modify
72930 + * it under the terms of the GNU General Public License; either version
72931 + * 2 or 3 as published by the Free Software Foundation.
72933 +#include <linux/module.h>
72934 +#include <linux/moduleparam.h>
72935 +#include <linux/skbuff.h>
72936 +#include <linux/netfilter/x_tables.h>
72937 +#include <linux/grsecurity.h>
72938 +#include <linux/netfilter/xt_gradm.h>
72941 +gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
72943 + const struct xt_gradm_mtinfo *info = par->matchinfo;
72944 + bool retval = false;
72945 + if (gr_acl_is_enabled())
72947 + return retval ^ info->invflags;
72950 +static struct xt_match gradm_mt_reg __read_mostly = {
72953 + .family = NFPROTO_UNSPEC,
72954 + .match = gradm_mt,
72955 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
72956 + .me = THIS_MODULE,
72959 +static int __init gradm_mt_init(void)
72961 + return xt_register_match(&gradm_mt_reg);
72964 +static void __exit gradm_mt_exit(void)
72966 + xt_unregister_match(&gradm_mt_reg);
72969 +module_init(gradm_mt_init);
72970 +module_exit(gradm_mt_exit);
72971 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
72972 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
72973 +MODULE_LICENSE("GPL");
72974 +MODULE_ALIAS("ipt_gradm");
72975 +MODULE_ALIAS("ip6t_gradm");
72976 diff -urNp linux-2.6.32.43/net/netlink/af_netlink.c linux-2.6.32.43/net/netlink/af_netlink.c
72977 --- linux-2.6.32.43/net/netlink/af_netlink.c 2011-03-27 14:31:47.000000000 -0400
72978 +++ linux-2.6.32.43/net/netlink/af_netlink.c 2011-05-04 17:56:28.000000000 -0400
72979 @@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
72980 sk->sk_error_report(sk);
72983 - atomic_inc(&sk->sk_drops);
72984 + atomic_inc_unchecked(&sk->sk_drops);
72987 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
72988 @@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
72989 struct netlink_sock *nlk = nlk_sk(s);
72991 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
72992 +#ifdef CONFIG_GRKERNSEC_HIDESYM
72999 nlk->groups ? (u32)nlk->groups[0] : 0,
73000 sk_rmem_alloc_get(s),
73001 sk_wmem_alloc_get(s),
73002 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73007 atomic_read(&s->sk_refcnt),
73008 - atomic_read(&s->sk_drops)
73009 + atomic_read_unchecked(&s->sk_drops)
73013 diff -urNp linux-2.6.32.43/net/netrom/af_netrom.c linux-2.6.32.43/net/netrom/af_netrom.c
73014 --- linux-2.6.32.43/net/netrom/af_netrom.c 2011-03-27 14:31:47.000000000 -0400
73015 +++ linux-2.6.32.43/net/netrom/af_netrom.c 2011-04-17 15:56:46.000000000 -0400
73016 @@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
73017 struct sock *sk = sock->sk;
73018 struct nr_sock *nr = nr_sk(sk);
73020 + memset(sax, 0, sizeof(*sax));
73023 if (sk->sk_state != TCP_ESTABLISHED) {
73024 @@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
73025 *uaddr_len = sizeof(struct full_sockaddr_ax25);
73027 sax->fsa_ax25.sax25_family = AF_NETROM;
73028 - sax->fsa_ax25.sax25_ndigis = 0;
73029 sax->fsa_ax25.sax25_call = nr->source_addr;
73030 *uaddr_len = sizeof(struct sockaddr_ax25);
73032 diff -urNp linux-2.6.32.43/net/packet/af_packet.c linux-2.6.32.43/net/packet/af_packet.c
73033 --- linux-2.6.32.43/net/packet/af_packet.c 2011-07-13 17:23:04.000000000 -0400
73034 +++ linux-2.6.32.43/net/packet/af_packet.c 2011-07-13 17:23:27.000000000 -0400
73035 @@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_fi
73038 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
73039 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73044 atomic_read(&s->sk_refcnt),
73047 diff -urNp linux-2.6.32.43/net/phonet/af_phonet.c linux-2.6.32.43/net/phonet/af_phonet.c
73048 --- linux-2.6.32.43/net/phonet/af_phonet.c 2011-03-27 14:31:47.000000000 -0400
73049 +++ linux-2.6.32.43/net/phonet/af_phonet.c 2011-04-17 15:56:46.000000000 -0400
73050 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
73052 struct phonet_protocol *pp;
73054 - if (protocol >= PHONET_NPROTO)
73055 + if (protocol < 0 || protocol >= PHONET_NPROTO)
73058 spin_lock(&proto_tab_lock);
73059 @@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
73063 - if (protocol >= PHONET_NPROTO)
73064 + if (protocol < 0 || protocol >= PHONET_NPROTO)
73067 err = proto_register(pp->prot, 1);
73068 diff -urNp linux-2.6.32.43/net/phonet/datagram.c linux-2.6.32.43/net/phonet/datagram.c
73069 --- linux-2.6.32.43/net/phonet/datagram.c 2011-03-27 14:31:47.000000000 -0400
73070 +++ linux-2.6.32.43/net/phonet/datagram.c 2011-05-04 17:56:28.000000000 -0400
73071 @@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
73074 if (err == -ENOMEM)
73075 - atomic_inc(&sk->sk_drops);
73076 + atomic_inc_unchecked(&sk->sk_drops);
73078 return err ? NET_RX_DROP : NET_RX_SUCCESS;
73080 diff -urNp linux-2.6.32.43/net/phonet/pep.c linux-2.6.32.43/net/phonet/pep.c
73081 --- linux-2.6.32.43/net/phonet/pep.c 2011-03-27 14:31:47.000000000 -0400
73082 +++ linux-2.6.32.43/net/phonet/pep.c 2011-05-04 17:56:28.000000000 -0400
73083 @@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
73085 case PNS_PEP_CTRL_REQ:
73086 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
73087 - atomic_inc(&sk->sk_drops);
73088 + atomic_inc_unchecked(&sk->sk_drops);
73091 __skb_pull(skb, 4);
73092 @@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
73095 if (err == -ENOMEM)
73096 - atomic_inc(&sk->sk_drops);
73097 + atomic_inc_unchecked(&sk->sk_drops);
73101 if (pn->rx_credits == 0) {
73102 - atomic_inc(&sk->sk_drops);
73103 + atomic_inc_unchecked(&sk->sk_drops);
73107 diff -urNp linux-2.6.32.43/net/phonet/socket.c linux-2.6.32.43/net/phonet/socket.c
73108 --- linux-2.6.32.43/net/phonet/socket.c 2011-03-27 14:31:47.000000000 -0400
73109 +++ linux-2.6.32.43/net/phonet/socket.c 2011-05-04 17:57:07.000000000 -0400
73110 @@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
73112 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
73113 sock_i_uid(sk), sock_i_ino(sk),
73114 - atomic_read(&sk->sk_refcnt), sk,
73115 - atomic_read(&sk->sk_drops), &len);
73116 + atomic_read(&sk->sk_refcnt),
73117 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73122 + atomic_read_unchecked(&sk->sk_drops), &len);
73124 seq_printf(seq, "%*s\n", 127 - len, "");
73126 diff -urNp linux-2.6.32.43/net/rds/cong.c linux-2.6.32.43/net/rds/cong.c
73127 --- linux-2.6.32.43/net/rds/cong.c 2011-03-27 14:31:47.000000000 -0400
73128 +++ linux-2.6.32.43/net/rds/cong.c 2011-05-04 17:56:28.000000000 -0400
73130 * finds that the saved generation number is smaller than the global generation
73131 * number, it wakes up the process.
73133 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
73134 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
73137 * Congestion monitoring
73138 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
73139 rdsdebug("waking map %p for %pI4\n",
73140 map, &map->m_addr);
73141 rds_stats_inc(s_cong_update_received);
73142 - atomic_inc(&rds_cong_generation);
73143 + atomic_inc_unchecked(&rds_cong_generation);
73144 if (waitqueue_active(&map->m_waitq))
73145 wake_up(&map->m_waitq);
73146 if (waitqueue_active(&rds_poll_waitq))
73147 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
73149 int rds_cong_updated_since(unsigned long *recent)
73151 - unsigned long gen = atomic_read(&rds_cong_generation);
73152 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
73154 if (likely(*recent == gen))
73156 diff -urNp linux-2.6.32.43/net/rds/iw_rdma.c linux-2.6.32.43/net/rds/iw_rdma.c
73157 --- linux-2.6.32.43/net/rds/iw_rdma.c 2011-03-27 14:31:47.000000000 -0400
73158 +++ linux-2.6.32.43/net/rds/iw_rdma.c 2011-05-16 21:46:57.000000000 -0400
73159 @@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
73160 struct rdma_cm_id *pcm_id;
73163 + pax_track_stack();
73165 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
73166 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
73168 diff -urNp linux-2.6.32.43/net/rds/Kconfig linux-2.6.32.43/net/rds/Kconfig
73169 --- linux-2.6.32.43/net/rds/Kconfig 2011-03-27 14:31:47.000000000 -0400
73170 +++ linux-2.6.32.43/net/rds/Kconfig 2011-04-17 15:56:46.000000000 -0400
73174 tristate "The RDS Protocol (EXPERIMENTAL)"
73175 - depends on INET && EXPERIMENTAL
73176 + depends on INET && EXPERIMENTAL && BROKEN
73178 The RDS (Reliable Datagram Sockets) protocol provides reliable,
73179 sequenced delivery of datagrams over Infiniband, iWARP,
73180 diff -urNp linux-2.6.32.43/net/rxrpc/af_rxrpc.c linux-2.6.32.43/net/rxrpc/af_rxrpc.c
73181 --- linux-2.6.32.43/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400
73182 +++ linux-2.6.32.43/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400
73183 @@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
73184 __be32 rxrpc_epoch;
73186 /* current debugging ID */
73187 -atomic_t rxrpc_debug_id;
73188 +atomic_unchecked_t rxrpc_debug_id;
73190 /* count of skbs currently in use */
73191 atomic_t rxrpc_n_skbs;
73192 diff -urNp linux-2.6.32.43/net/rxrpc/ar-ack.c linux-2.6.32.43/net/rxrpc/ar-ack.c
73193 --- linux-2.6.32.43/net/rxrpc/ar-ack.c 2011-03-27 14:31:47.000000000 -0400
73194 +++ linux-2.6.32.43/net/rxrpc/ar-ack.c 2011-05-16 21:46:57.000000000 -0400
73195 @@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
73197 _enter("{%d,%d,%d,%d},",
73198 call->acks_hard, call->acks_unacked,
73199 - atomic_read(&call->sequence),
73200 + atomic_read_unchecked(&call->sequence),
73201 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
73204 @@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
73206 /* each Tx packet has a new serial number */
73208 - htonl(atomic_inc_return(&call->conn->serial));
73209 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
73211 hdr = (struct rxrpc_header *) txb->head;
73212 hdr->serial = sp->hdr.serial;
73213 @@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
73215 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
73217 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
73218 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
73222 @@ -627,7 +627,7 @@ process_further:
73224 latest = ntohl(sp->hdr.serial);
73225 hard = ntohl(ack.firstPacket);
73226 - tx = atomic_read(&call->sequence);
73227 + tx = atomic_read_unchecked(&call->sequence);
73229 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
73231 @@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
73232 u32 abort_code = RX_PROTOCOL_ERROR;
73235 + pax_track_stack();
73237 //printk("\n--------------------\n");
73238 _enter("{%d,%s,%lx} [%lu]",
73239 call->debug_id, rxrpc_call_states[call->state], call->events,
73240 @@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
73241 goto maybe_reschedule;
73243 send_ACK_with_skew:
73244 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
73245 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
73246 ntohl(ack.serial));
73248 mtu = call->conn->trans->peer->if_mtu;
73249 @@ -1171,7 +1173,7 @@ send_ACK:
73250 ackinfo.rxMTU = htonl(5692);
73251 ackinfo.jumbo_max = htonl(4);
73253 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
73254 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
73255 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
73257 ntohs(ack.maxSkew),
73258 @@ -1189,7 +1191,7 @@ send_ACK:
73260 _debug("send message");
73262 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
73263 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
73264 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
73267 diff -urNp linux-2.6.32.43/net/rxrpc/ar-call.c linux-2.6.32.43/net/rxrpc/ar-call.c
73268 --- linux-2.6.32.43/net/rxrpc/ar-call.c 2011-03-27 14:31:47.000000000 -0400
73269 +++ linux-2.6.32.43/net/rxrpc/ar-call.c 2011-05-04 17:56:28.000000000 -0400
73270 @@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
73271 spin_lock_init(&call->lock);
73272 rwlock_init(&call->state_lock);
73273 atomic_set(&call->usage, 1);
73274 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
73275 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
73276 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
73278 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
73279 diff -urNp linux-2.6.32.43/net/rxrpc/ar-connection.c linux-2.6.32.43/net/rxrpc/ar-connection.c
73280 --- linux-2.6.32.43/net/rxrpc/ar-connection.c 2011-03-27 14:31:47.000000000 -0400
73281 +++ linux-2.6.32.43/net/rxrpc/ar-connection.c 2011-05-04 17:56:28.000000000 -0400
73282 @@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
73283 rwlock_init(&conn->lock);
73284 spin_lock_init(&conn->state_lock);
73285 atomic_set(&conn->usage, 1);
73286 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
73287 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
73288 conn->avail_calls = RXRPC_MAXCALLS;
73289 conn->size_align = 4;
73290 conn->header_size = sizeof(struct rxrpc_header);
73291 diff -urNp linux-2.6.32.43/net/rxrpc/ar-connevent.c linux-2.6.32.43/net/rxrpc/ar-connevent.c
73292 --- linux-2.6.32.43/net/rxrpc/ar-connevent.c 2011-03-27 14:31:47.000000000 -0400
73293 +++ linux-2.6.32.43/net/rxrpc/ar-connevent.c 2011-05-04 17:56:28.000000000 -0400
73294 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
73296 len = iov[0].iov_len + iov[1].iov_len;
73298 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
73299 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
73300 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
73302 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
73303 diff -urNp linux-2.6.32.43/net/rxrpc/ar-input.c linux-2.6.32.43/net/rxrpc/ar-input.c
73304 --- linux-2.6.32.43/net/rxrpc/ar-input.c 2011-03-27 14:31:47.000000000 -0400
73305 +++ linux-2.6.32.43/net/rxrpc/ar-input.c 2011-05-04 17:56:28.000000000 -0400
73306 @@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
73307 /* track the latest serial number on this connection for ACK packet
73309 serial = ntohl(sp->hdr.serial);
73310 - hi_serial = atomic_read(&call->conn->hi_serial);
73311 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
73312 while (serial > hi_serial)
73313 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
73314 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
73317 /* request ACK generation for any ACK or DATA packet that requests
73318 diff -urNp linux-2.6.32.43/net/rxrpc/ar-internal.h linux-2.6.32.43/net/rxrpc/ar-internal.h
73319 --- linux-2.6.32.43/net/rxrpc/ar-internal.h 2011-03-27 14:31:47.000000000 -0400
73320 +++ linux-2.6.32.43/net/rxrpc/ar-internal.h 2011-05-04 17:56:28.000000000 -0400
73321 @@ -272,8 +272,8 @@ struct rxrpc_connection {
73322 int error; /* error code for local abort */
73323 int debug_id; /* debug ID for printks */
73324 unsigned call_counter; /* call ID counter */
73325 - atomic_t serial; /* packet serial number counter */
73326 - atomic_t hi_serial; /* highest serial number received */
73327 + atomic_unchecked_t serial; /* packet serial number counter */
73328 + atomic_unchecked_t hi_serial; /* highest serial number received */
73329 u8 avail_calls; /* number of calls available */
73330 u8 size_align; /* data size alignment (for security) */
73331 u8 header_size; /* rxrpc + security header size */
73332 @@ -346,7 +346,7 @@ struct rxrpc_call {
73334 rwlock_t state_lock; /* lock for state transition */
73336 - atomic_t sequence; /* Tx data packet sequence counter */
73337 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
73338 u32 abort_code; /* local/remote abort code */
73339 enum { /* current state of call */
73340 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
73341 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
73343 extern atomic_t rxrpc_n_skbs;
73344 extern __be32 rxrpc_epoch;
73345 -extern atomic_t rxrpc_debug_id;
73346 +extern atomic_unchecked_t rxrpc_debug_id;
73347 extern struct workqueue_struct *rxrpc_workqueue;
73350 diff -urNp linux-2.6.32.43/net/rxrpc/ar-key.c linux-2.6.32.43/net/rxrpc/ar-key.c
73351 --- linux-2.6.32.43/net/rxrpc/ar-key.c 2011-03-27 14:31:47.000000000 -0400
73352 +++ linux-2.6.32.43/net/rxrpc/ar-key.c 2011-04-17 15:56:46.000000000 -0400
73353 @@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
73356 plen -= sizeof(*token);
73357 - token = kmalloc(sizeof(*token), GFP_KERNEL);
73358 + token = kzalloc(sizeof(*token), GFP_KERNEL);
73362 - token->kad = kmalloc(plen, GFP_KERNEL);
73363 + token->kad = kzalloc(plen, GFP_KERNEL);
73367 @@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
73371 - token = kmalloc(sizeof(*token), GFP_KERNEL);
73372 + token = kzalloc(sizeof(*token), GFP_KERNEL);
73375 - token->kad = kmalloc(plen, GFP_KERNEL);
73376 + token->kad = kzalloc(plen, GFP_KERNEL);
73380 diff -urNp linux-2.6.32.43/net/rxrpc/ar-local.c linux-2.6.32.43/net/rxrpc/ar-local.c
73381 --- linux-2.6.32.43/net/rxrpc/ar-local.c 2011-03-27 14:31:47.000000000 -0400
73382 +++ linux-2.6.32.43/net/rxrpc/ar-local.c 2011-05-04 17:56:28.000000000 -0400
73383 @@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
73384 spin_lock_init(&local->lock);
73385 rwlock_init(&local->services_lock);
73386 atomic_set(&local->usage, 1);
73387 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
73388 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
73389 memcpy(&local->srx, srx, sizeof(*srx));
73392 diff -urNp linux-2.6.32.43/net/rxrpc/ar-output.c linux-2.6.32.43/net/rxrpc/ar-output.c
73393 --- linux-2.6.32.43/net/rxrpc/ar-output.c 2011-03-27 14:31:47.000000000 -0400
73394 +++ linux-2.6.32.43/net/rxrpc/ar-output.c 2011-05-04 17:56:28.000000000 -0400
73395 @@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
73396 sp->hdr.cid = call->cid;
73397 sp->hdr.callNumber = call->call_id;
73399 - htonl(atomic_inc_return(&call->sequence));
73400 + htonl(atomic_inc_return_unchecked(&call->sequence));
73402 - htonl(atomic_inc_return(&conn->serial));
73403 + htonl(atomic_inc_return_unchecked(&conn->serial));
73404 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
73405 sp->hdr.userStatus = 0;
73406 sp->hdr.securityIndex = conn->security_ix;
73407 diff -urNp linux-2.6.32.43/net/rxrpc/ar-peer.c linux-2.6.32.43/net/rxrpc/ar-peer.c
73408 --- linux-2.6.32.43/net/rxrpc/ar-peer.c 2011-03-27 14:31:47.000000000 -0400
73409 +++ linux-2.6.32.43/net/rxrpc/ar-peer.c 2011-05-04 17:56:28.000000000 -0400
73410 @@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
73411 INIT_LIST_HEAD(&peer->error_targets);
73412 spin_lock_init(&peer->lock);
73413 atomic_set(&peer->usage, 1);
73414 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
73415 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
73416 memcpy(&peer->srx, srx, sizeof(*srx));
73418 rxrpc_assess_MTU_size(peer);
73419 diff -urNp linux-2.6.32.43/net/rxrpc/ar-proc.c linux-2.6.32.43/net/rxrpc/ar-proc.c
73420 --- linux-2.6.32.43/net/rxrpc/ar-proc.c 2011-03-27 14:31:47.000000000 -0400
73421 +++ linux-2.6.32.43/net/rxrpc/ar-proc.c 2011-05-04 17:56:28.000000000 -0400
73422 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
73423 atomic_read(&conn->usage),
73424 rxrpc_conn_states[conn->state],
73425 key_serial(conn->key),
73426 - atomic_read(&conn->serial),
73427 - atomic_read(&conn->hi_serial));
73428 + atomic_read_unchecked(&conn->serial),
73429 + atomic_read_unchecked(&conn->hi_serial));
73433 diff -urNp linux-2.6.32.43/net/rxrpc/ar-transport.c linux-2.6.32.43/net/rxrpc/ar-transport.c
73434 --- linux-2.6.32.43/net/rxrpc/ar-transport.c 2011-03-27 14:31:47.000000000 -0400
73435 +++ linux-2.6.32.43/net/rxrpc/ar-transport.c 2011-05-04 17:56:28.000000000 -0400
73436 @@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
73437 spin_lock_init(&trans->client_lock);
73438 rwlock_init(&trans->conn_lock);
73439 atomic_set(&trans->usage, 1);
73440 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
73441 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
73443 if (peer->srx.transport.family == AF_INET) {
73444 switch (peer->srx.transport_type) {
73445 diff -urNp linux-2.6.32.43/net/rxrpc/rxkad.c linux-2.6.32.43/net/rxrpc/rxkad.c
73446 --- linux-2.6.32.43/net/rxrpc/rxkad.c 2011-03-27 14:31:47.000000000 -0400
73447 +++ linux-2.6.32.43/net/rxrpc/rxkad.c 2011-05-16 21:46:57.000000000 -0400
73448 @@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
73452 + pax_track_stack();
73454 sp = rxrpc_skb(skb);
73457 @@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
73461 + pax_track_stack();
73465 sp = rxrpc_skb(skb);
73466 @@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
73468 len = iov[0].iov_len + iov[1].iov_len;
73470 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
73471 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
73472 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
73474 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
73475 @@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
73477 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
73479 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
73480 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
73481 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
73483 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
73484 diff -urNp linux-2.6.32.43/net/sctp/proc.c linux-2.6.32.43/net/sctp/proc.c
73485 --- linux-2.6.32.43/net/sctp/proc.c 2011-03-27 14:31:47.000000000 -0400
73486 +++ linux-2.6.32.43/net/sctp/proc.c 2011-04-17 15:56:46.000000000 -0400
73487 @@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
73488 sctp_for_each_hentry(epb, node, &head->chain) {
73491 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
73492 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
73493 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73498 sctp_sk(sk)->type, sk->sk_state, hash,
73499 epb->bind_addr.port,
73500 sock_i_uid(sk), sock_i_ino(sk));
73501 @@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
73503 "%8p %8p %-3d %-3d %-2d %-4d "
73504 "%4d %8d %8d %7d %5lu %-5d %5d ",
73505 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
73506 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73511 + sctp_sk(sk)->type, sk->sk_state,
73512 assoc->state, hash,
73514 assoc->sndbuf_used,
73515 diff -urNp linux-2.6.32.43/net/sctp/socket.c linux-2.6.32.43/net/sctp/socket.c
73516 --- linux-2.6.32.43/net/sctp/socket.c 2011-03-27 14:31:47.000000000 -0400
73517 +++ linux-2.6.32.43/net/sctp/socket.c 2011-04-23 12:56:11.000000000 -0400
73518 @@ -5802,7 +5802,6 @@ pp_found:
73520 int reuse = sk->sk_reuse;
73522 - struct hlist_node *node;
73524 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
73525 if (pp->fastreuse && sk->sk_reuse &&
73526 diff -urNp linux-2.6.32.43/net/socket.c linux-2.6.32.43/net/socket.c
73527 --- linux-2.6.32.43/net/socket.c 2011-03-27 14:31:47.000000000 -0400
73528 +++ linux-2.6.32.43/net/socket.c 2011-05-16 21:46:57.000000000 -0400
73530 #include <linux/wireless.h>
73531 #include <linux/nsproxy.h>
73532 #include <linux/magic.h>
73533 +#include <linux/in.h>
73535 #include <asm/uaccess.h>
73536 #include <asm/unistd.h>
73538 #include <net/sock.h>
73539 #include <linux/netfilter.h>
73541 +extern void gr_attach_curr_ip(const struct sock *sk);
73542 +extern int gr_handle_sock_all(const int family, const int type,
73543 + const int protocol);
73544 +extern int gr_handle_sock_server(const struct sockaddr *sck);
73545 +extern int gr_handle_sock_server_other(const struct sock *sck);
73546 +extern int gr_handle_sock_client(const struct sockaddr *sck);
73547 +extern int gr_search_connect(struct socket * sock,
73548 + struct sockaddr_in * addr);
73549 +extern int gr_search_bind(struct socket * sock,
73550 + struct sockaddr_in * addr);
73551 +extern int gr_search_listen(struct socket * sock);
73552 +extern int gr_search_accept(struct socket * sock);
73553 +extern int gr_search_socket(const int domain, const int type,
73554 + const int protocol);
73556 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
73557 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
73558 unsigned long nr_segs, loff_t pos);
73559 @@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
73563 -static struct vfsmount *sock_mnt __read_mostly;
73564 +struct vfsmount *sock_mnt __read_mostly;
73566 static struct file_system_type sock_fs_type = {
73568 @@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
73569 return -EAFNOSUPPORT;
73570 if (type < 0 || type >= SOCK_MAX)
73572 + if (protocol < 0)
73577 @@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
73578 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
73579 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
73581 + if(!gr_search_socket(family, type, protocol)) {
73582 + retval = -EACCES;
73586 + if (gr_handle_sock_all(family, type, protocol)) {
73587 + retval = -EACCES;
73591 retval = sock_create(family, type, protocol, &sock);
73594 @@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
73596 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
73598 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
73602 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
73606 err = security_socket_bind(sock,
73607 (struct sockaddr *)&address,
73609 @@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
73610 (struct sockaddr *)
73611 &address, addrlen);
73614 fput_light(sock->file, fput_needed);
73617 @@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
73618 if ((unsigned)backlog > somaxconn)
73619 backlog = somaxconn;
73621 + if (gr_handle_sock_server_other(sock->sk)) {
73626 + err = gr_search_listen(sock);
73630 err = security_socket_listen(sock, backlog);
73632 err = sock->ops->listen(sock, backlog);
73635 fput_light(sock->file, fput_needed);
73638 @@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
73639 newsock->type = sock->type;
73640 newsock->ops = sock->ops;
73642 + if (gr_handle_sock_server_other(sock->sk)) {
73644 + sock_release(newsock);
73648 + err = gr_search_accept(sock);
73650 + sock_release(newsock);
73655 * We don't need try_module_get here, as the listening socket (sock)
73656 * has the protocol module (sock->ops->owner) held.
73657 @@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
73658 fd_install(newfd, newfile);
73661 + gr_attach_curr_ip(newsock->sk);
73664 fput_light(sock->file, fput_needed);
73666 @@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
73669 struct socket *sock;
73670 + struct sockaddr *sck;
73671 struct sockaddr_storage address;
73672 int err, fput_needed;
73674 @@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
73678 + sck = (struct sockaddr *)&address;
73680 + if (gr_handle_sock_client(sck)) {
73685 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
73690 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
73692 @@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
73693 int err, ctl_len, iov_size, total_len;
73696 + pax_track_stack();
73699 if (MSG_CMSG_COMPAT & flags) {
73700 if (get_compat_msghdr(&msg_sys, msg_compat))
73701 diff -urNp linux-2.6.32.43/net/sunrpc/sched.c linux-2.6.32.43/net/sunrpc/sched.c
73702 --- linux-2.6.32.43/net/sunrpc/sched.c 2011-03-27 14:31:47.000000000 -0400
73703 +++ linux-2.6.32.43/net/sunrpc/sched.c 2011-04-17 15:56:46.000000000 -0400
73704 @@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
73706 static void rpc_task_set_debuginfo(struct rpc_task *task)
73708 - static atomic_t rpc_pid;
73709 + static atomic_unchecked_t rpc_pid;
73711 task->tk_magic = RPC_TASK_MAGIC_ID;
73712 - task->tk_pid = atomic_inc_return(&rpc_pid);
73713 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
73716 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
73717 diff -urNp linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma.c
73718 --- linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-27 14:31:47.000000000 -0400
73719 +++ linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-04 17:56:20.000000000 -0400
73720 @@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
73721 static unsigned int min_max_inline = 4096;
73722 static unsigned int max_max_inline = 65536;
73724 -atomic_t rdma_stat_recv;
73725 -atomic_t rdma_stat_read;
73726 -atomic_t rdma_stat_write;
73727 -atomic_t rdma_stat_sq_starve;
73728 -atomic_t rdma_stat_rq_starve;
73729 -atomic_t rdma_stat_rq_poll;
73730 -atomic_t rdma_stat_rq_prod;
73731 -atomic_t rdma_stat_sq_poll;
73732 -atomic_t rdma_stat_sq_prod;
73733 +atomic_unchecked_t rdma_stat_recv;
73734 +atomic_unchecked_t rdma_stat_read;
73735 +atomic_unchecked_t rdma_stat_write;
73736 +atomic_unchecked_t rdma_stat_sq_starve;
73737 +atomic_unchecked_t rdma_stat_rq_starve;
73738 +atomic_unchecked_t rdma_stat_rq_poll;
73739 +atomic_unchecked_t rdma_stat_rq_prod;
73740 +atomic_unchecked_t rdma_stat_sq_poll;
73741 +atomic_unchecked_t rdma_stat_sq_prod;
73743 /* Temporary NFS request map and context caches */
73744 struct kmem_cache *svc_rdma_map_cachep;
73745 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
73749 - if (len && copy_to_user(buffer, str_buf, len))
73750 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
73754 @@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
73756 .procname = "rdma_stat_read",
73757 .data = &rdma_stat_read,
73758 - .maxlen = sizeof(atomic_t),
73759 + .maxlen = sizeof(atomic_unchecked_t),
73761 .proc_handler = &read_reset_stat,
73764 .procname = "rdma_stat_recv",
73765 .data = &rdma_stat_recv,
73766 - .maxlen = sizeof(atomic_t),
73767 + .maxlen = sizeof(atomic_unchecked_t),
73769 .proc_handler = &read_reset_stat,
73772 .procname = "rdma_stat_write",
73773 .data = &rdma_stat_write,
73774 - .maxlen = sizeof(atomic_t),
73775 + .maxlen = sizeof(atomic_unchecked_t),
73777 .proc_handler = &read_reset_stat,
73780 .procname = "rdma_stat_sq_starve",
73781 .data = &rdma_stat_sq_starve,
73782 - .maxlen = sizeof(atomic_t),
73783 + .maxlen = sizeof(atomic_unchecked_t),
73785 .proc_handler = &read_reset_stat,
73788 .procname = "rdma_stat_rq_starve",
73789 .data = &rdma_stat_rq_starve,
73790 - .maxlen = sizeof(atomic_t),
73791 + .maxlen = sizeof(atomic_unchecked_t),
73793 .proc_handler = &read_reset_stat,
73796 .procname = "rdma_stat_rq_poll",
73797 .data = &rdma_stat_rq_poll,
73798 - .maxlen = sizeof(atomic_t),
73799 + .maxlen = sizeof(atomic_unchecked_t),
73801 .proc_handler = &read_reset_stat,
73804 .procname = "rdma_stat_rq_prod",
73805 .data = &rdma_stat_rq_prod,
73806 - .maxlen = sizeof(atomic_t),
73807 + .maxlen = sizeof(atomic_unchecked_t),
73809 .proc_handler = &read_reset_stat,
73812 .procname = "rdma_stat_sq_poll",
73813 .data = &rdma_stat_sq_poll,
73814 - .maxlen = sizeof(atomic_t),
73815 + .maxlen = sizeof(atomic_unchecked_t),
73817 .proc_handler = &read_reset_stat,
73820 .procname = "rdma_stat_sq_prod",
73821 .data = &rdma_stat_sq_prod,
73822 - .maxlen = sizeof(atomic_t),
73823 + .maxlen = sizeof(atomic_unchecked_t),
73825 .proc_handler = &read_reset_stat,
73827 diff -urNp linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
73828 --- linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-27 14:31:47.000000000 -0400
73829 +++ linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-04 17:56:28.000000000 -0400
73830 @@ -495,7 +495,7 @@ next_sge:
73831 svc_rdma_put_context(ctxt, 0);
73834 - atomic_inc(&rdma_stat_read);
73835 + atomic_inc_unchecked(&rdma_stat_read);
73837 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
73838 chl_map->ch[ch_no].count -= read_wr.num_sge;
73839 @@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
73841 list_del_init(&ctxt->dto_q);
73843 - atomic_inc(&rdma_stat_rq_starve);
73844 + atomic_inc_unchecked(&rdma_stat_rq_starve);
73845 clear_bit(XPT_DATA, &xprt->xpt_flags);
73848 @@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
73849 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
73850 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
73851 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
73852 - atomic_inc(&rdma_stat_recv);
73853 + atomic_inc_unchecked(&rdma_stat_recv);
73855 /* Build up the XDR from the receive buffers. */
73856 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
73857 diff -urNp linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_sendto.c
73858 --- linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-27 14:31:47.000000000 -0400
73859 +++ linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-04 17:56:28.000000000 -0400
73860 @@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
73861 write_wr.wr.rdma.remote_addr = to;
73864 - atomic_inc(&rdma_stat_write);
73865 + atomic_inc_unchecked(&rdma_stat_write);
73866 if (svc_rdma_send(xprt, &write_wr))
73869 diff -urNp linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_transport.c
73870 --- linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-27 14:31:47.000000000 -0400
73871 +++ linux-2.6.32.43/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-04 17:56:28.000000000 -0400
73872 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
73875 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
73876 - atomic_inc(&rdma_stat_rq_poll);
73877 + atomic_inc_unchecked(&rdma_stat_rq_poll);
73879 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
73880 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
73881 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
73885 - atomic_inc(&rdma_stat_rq_prod);
73886 + atomic_inc_unchecked(&rdma_stat_rq_prod);
73888 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
73890 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
73893 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
73894 - atomic_inc(&rdma_stat_sq_poll);
73895 + atomic_inc_unchecked(&rdma_stat_sq_poll);
73896 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
73897 if (wc.status != IB_WC_SUCCESS)
73898 /* Close the transport */
73899 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
73903 - atomic_inc(&rdma_stat_sq_prod);
73904 + atomic_inc_unchecked(&rdma_stat_sq_prod);
73907 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
73908 @@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
73909 spin_lock_bh(&xprt->sc_lock);
73910 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
73911 spin_unlock_bh(&xprt->sc_lock);
73912 - atomic_inc(&rdma_stat_sq_starve);
73913 + atomic_inc_unchecked(&rdma_stat_sq_starve);
73915 /* See if we can opportunistically reap SQ WR to make room */
73917 diff -urNp linux-2.6.32.43/net/sysctl_net.c linux-2.6.32.43/net/sysctl_net.c
73918 --- linux-2.6.32.43/net/sysctl_net.c 2011-03-27 14:31:47.000000000 -0400
73919 +++ linux-2.6.32.43/net/sysctl_net.c 2011-04-17 15:56:46.000000000 -0400
73920 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
73921 struct ctl_table *table)
73923 /* Allow network administrator to have same access as root. */
73924 - if (capable(CAP_NET_ADMIN)) {
73925 + if (capable_nolog(CAP_NET_ADMIN)) {
73926 int mode = (table->mode >> 6) & 7;
73927 return (mode << 6) | (mode << 3) | mode;
73929 diff -urNp linux-2.6.32.43/net/unix/af_unix.c linux-2.6.32.43/net/unix/af_unix.c
73930 --- linux-2.6.32.43/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400
73931 +++ linux-2.6.32.43/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -0400
73932 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
73933 err = -ECONNREFUSED;
73934 if (!S_ISSOCK(inode->i_mode))
73937 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
73942 u = unix_find_socket_byinode(net, inode);
73945 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
73947 struct dentry *dentry;
73948 dentry = unix_sk(u)->dentry;
73950 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
73957 touch_atime(unix_sk(u)->mnt, dentry);
73959 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
73960 err = security_path_mknod(&nd.path, dentry, mode, 0);
73962 goto out_mknod_drop_write;
73963 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
73965 + goto out_mknod_drop_write;
73967 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
73968 out_mknod_drop_write:
73969 mnt_drop_write(nd.path.mnt);
73971 goto out_mknod_dput;
73973 + gr_handle_create(dentry, nd.path.mnt);
73975 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
73976 dput(nd.path.dentry);
73977 nd.path.dentry = dentry;
73978 @@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file
73979 unix_state_lock(s);
73981 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
73982 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73987 atomic_read(&s->sk_refcnt),
73989 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
73990 diff -urNp linux-2.6.32.43/net/wireless/core.c linux-2.6.32.43/net/wireless/core.c
73991 --- linux-2.6.32.43/net/wireless/core.c 2011-03-27 14:31:47.000000000 -0400
73992 +++ linux-2.6.32.43/net/wireless/core.c 2011-08-05 20:33:55.000000000 -0400
73993 @@ -367,7 +367,7 @@ struct wiphy *wiphy_new(const struct cfg
73995 wiphy_net_set(&rdev->wiphy, &init_net);
73997 - rdev->rfkill_ops.set_block = cfg80211_rfkill_set_block;
73998 + *(void **)&rdev->rfkill_ops.set_block = cfg80211_rfkill_set_block;
73999 rdev->rfkill = rfkill_alloc(dev_name(&rdev->wiphy.dev),
74000 &rdev->wiphy.dev, RFKILL_TYPE_WLAN,
74001 &rdev->rfkill_ops, rdev);
74002 @@ -505,7 +505,7 @@ void wiphy_rfkill_start_polling(struct w
74004 if (!rdev->ops->rfkill_poll)
74006 - rdev->rfkill_ops.poll = cfg80211_rfkill_poll;
74007 + *(void **)&rdev->rfkill_ops.poll = cfg80211_rfkill_poll;
74008 rfkill_resume_polling(rdev->rfkill);
74010 EXPORT_SYMBOL(wiphy_rfkill_start_polling);
74011 diff -urNp linux-2.6.32.43/net/wireless/wext.c linux-2.6.32.43/net/wireless/wext.c
74012 --- linux-2.6.32.43/net/wireless/wext.c 2011-03-27 14:31:47.000000000 -0400
74013 +++ linux-2.6.32.43/net/wireless/wext.c 2011-04-17 15:56:46.000000000 -0400
74014 @@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
74017 /* Support for very large requests */
74018 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
74019 - (user_length > descr->max_tokens)) {
74020 + if (user_length > descr->max_tokens) {
74021 /* Allow userspace to GET more than max so
74022 * we can support any size GET requests.
74023 * There is still a limit : -ENOMEM.
74024 @@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
74028 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
74030 - * If this is a GET, but not NOMAX, it means that the extra
74031 - * data is not bounded by userspace, but by max_tokens. Thus
74032 - * set the length to max_tokens. This matches the extra data
74034 - * The driver should fill it with the number of tokens it
74035 - * provided, and it may check iwp->length rather than having
74036 - * knowledge of max_tokens. If the driver doesn't change the
74037 - * iwp->length, this ioctl just copies back max_token tokens
74038 - * filled with zeroes. Hopefully the driver isn't claiming
74039 - * them to be valid data.
74041 - iwp->length = descr->max_tokens;
74044 err = handler(dev, info, (union iwreq_data *) iwp, extra);
74046 iwp->length += essid_compat;
74047 diff -urNp linux-2.6.32.43/net/xfrm/xfrm_policy.c linux-2.6.32.43/net/xfrm/xfrm_policy.c
74048 --- linux-2.6.32.43/net/xfrm/xfrm_policy.c 2011-03-27 14:31:47.000000000 -0400
74049 +++ linux-2.6.32.43/net/xfrm/xfrm_policy.c 2011-05-04 17:56:20.000000000 -0400
74050 @@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
74051 hlist_add_head(&policy->bydst, chain);
74052 xfrm_pol_hold(policy);
74053 net->xfrm.policy_count[dir]++;
74054 - atomic_inc(&flow_cache_genid);
74055 + atomic_inc_unchecked(&flow_cache_genid);
74057 __xfrm_policy_unlink(delpol, dir);
74058 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
74059 @@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
74060 write_unlock_bh(&xfrm_policy_lock);
74062 if (ret && delete) {
74063 - atomic_inc(&flow_cache_genid);
74064 + atomic_inc_unchecked(&flow_cache_genid);
74065 xfrm_policy_kill(ret);
74068 @@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
74069 write_unlock_bh(&xfrm_policy_lock);
74071 if (ret && delete) {
74072 - atomic_inc(&flow_cache_genid);
74073 + atomic_inc_unchecked(&flow_cache_genid);
74074 xfrm_policy_kill(ret);
74077 @@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
74081 - atomic_inc(&flow_cache_genid);
74082 + atomic_inc_unchecked(&flow_cache_genid);
74084 write_unlock_bh(&xfrm_policy_lock);
74086 @@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
74087 write_unlock_bh(&xfrm_policy_lock);
74089 if (dir < XFRM_POLICY_MAX)
74090 - atomic_inc(&flow_cache_genid);
74091 + atomic_inc_unchecked(&flow_cache_genid);
74092 xfrm_policy_kill(pol);
74095 @@ -1477,7 +1477,7 @@ free_dst:
74101 xfrm_dst_alloc_copy(void **target, void *src, int size)
74104 @@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
74110 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
74112 #ifdef CONFIG_XFRM_SUB_POLICY
74113 @@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
74119 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
74121 #ifdef CONFIG_XFRM_SUB_POLICY
74122 @@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
74123 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
74126 - genid = atomic_read(&flow_cache_genid);
74127 + genid = atomic_read_unchecked(&flow_cache_genid);
74129 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
74131 @@ -1680,7 +1680,7 @@ restart:
74134 if (nx == -EAGAIN ||
74135 - genid != atomic_read(&flow_cache_genid)) {
74136 + genid != atomic_read_unchecked(&flow_cache_genid)) {
74137 xfrm_pols_put(pols, npols);
74140 diff -urNp linux-2.6.32.43/net/xfrm/xfrm_user.c linux-2.6.32.43/net/xfrm/xfrm_user.c
74141 --- linux-2.6.32.43/net/xfrm/xfrm_user.c 2011-03-27 14:31:47.000000000 -0400
74142 +++ linux-2.6.32.43/net/xfrm/xfrm_user.c 2011-05-16 21:46:57.000000000 -0400
74143 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
74144 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
74147 + pax_track_stack();
74149 if (xp->xfrm_nr == 0)
74152 @@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
74156 + pax_track_stack();
74158 if (attrs[XFRMA_MIGRATE] == NULL)
74161 diff -urNp linux-2.6.32.43/samples/kobject/kset-example.c linux-2.6.32.43/samples/kobject/kset-example.c
74162 --- linux-2.6.32.43/samples/kobject/kset-example.c 2011-03-27 14:31:47.000000000 -0400
74163 +++ linux-2.6.32.43/samples/kobject/kset-example.c 2011-04-17 15:56:46.000000000 -0400
74164 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
74167 /* Our custom sysfs_ops that we will associate with our ktype later on */
74168 -static struct sysfs_ops foo_sysfs_ops = {
74169 +static const struct sysfs_ops foo_sysfs_ops = {
74170 .show = foo_attr_show,
74171 .store = foo_attr_store,
74173 diff -urNp linux-2.6.32.43/scripts/basic/fixdep.c linux-2.6.32.43/scripts/basic/fixdep.c
74174 --- linux-2.6.32.43/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400
74175 +++ linux-2.6.32.43/scripts/basic/fixdep.c 2011-04-17 15:56:46.000000000 -0400
74176 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
74178 static void parse_config_file(char *map, size_t len)
74180 - int *end = (int *) (map + len);
74181 + unsigned int *end = (unsigned int *) (map + len);
74182 /* start at +1, so that p can never be < map */
74183 - int *m = (int *) map + 1;
74184 + unsigned int *m = (unsigned int *) map + 1;
74187 for (; m < end; m++) {
74188 @@ -371,7 +371,7 @@ static void print_deps(void)
74189 static void traps(void)
74191 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
74192 - int *p = (int *)test;
74193 + unsigned int *p = (unsigned int *)test;
74195 if (*p != INT_CONF) {
74196 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
74197 diff -urNp linux-2.6.32.43/scripts/gcc-plugin.sh linux-2.6.32.43/scripts/gcc-plugin.sh
74198 --- linux-2.6.32.43/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
74199 +++ linux-2.6.32.43/scripts/gcc-plugin.sh 2011-08-05 20:33:55.000000000 -0400
74203 +echo "#include \"gcc-plugin.h\"" | $* -x c - -c -o /dev/null -I`$* -print-file-name=plugin`/include>/dev/null 2>&1 && echo "y"
74204 diff -urNp linux-2.6.32.43/scripts/Makefile.build linux-2.6.32.43/scripts/Makefile.build
74205 --- linux-2.6.32.43/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400
74206 +++ linux-2.6.32.43/scripts/Makefile.build 2011-06-04 20:46:51.000000000 -0400
74207 @@ -59,7 +59,7 @@ endif
74210 # Do not include host rules unless needed
74211 -ifneq ($(hostprogs-y)$(hostprogs-m),)
74212 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
74213 include scripts/Makefile.host
74216 diff -urNp linux-2.6.32.43/scripts/Makefile.clean linux-2.6.32.43/scripts/Makefile.clean
74217 --- linux-2.6.32.43/scripts/Makefile.clean 2011-03-27 14:31:47.000000000 -0400
74218 +++ linux-2.6.32.43/scripts/Makefile.clean 2011-06-04 20:47:19.000000000 -0400
74219 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
74220 __clean-files := $(extra-y) $(always) \
74221 $(targets) $(clean-files) \
74223 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
74224 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
74225 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
74227 # as clean-files is given relative to the current directory, this adds
74228 # a $(obj) prefix, except for absolute paths
74229 diff -urNp linux-2.6.32.43/scripts/Makefile.host linux-2.6.32.43/scripts/Makefile.host
74230 --- linux-2.6.32.43/scripts/Makefile.host 2011-03-27 14:31:47.000000000 -0400
74231 +++ linux-2.6.32.43/scripts/Makefile.host 2011-06-04 20:48:22.000000000 -0400
74233 # Note: Shared libraries consisting of C++ files are not supported
74235 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
74236 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
74239 # Executables compiled from a single .c file
74240 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
74241 # Shared libaries (only .c supported)
74242 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
74243 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
74244 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
74245 # Remove .so files from "xxx-objs"
74246 host-cobjs := $(filter-out %.so,$(host-cobjs))
74248 diff -urNp linux-2.6.32.43/scripts/mod/file2alias.c linux-2.6.32.43/scripts/mod/file2alias.c
74249 --- linux-2.6.32.43/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400
74250 +++ linux-2.6.32.43/scripts/mod/file2alias.c 2011-04-17 15:56:46.000000000 -0400
74251 @@ -72,7 +72,7 @@ static void device_id_check(const char *
74252 unsigned long size, unsigned long id_size,
74258 if (size % id_size || size < id_size) {
74259 if (cross_build != 0)
74260 @@ -102,7 +102,7 @@ static void device_id_check(const char *
74261 /* USB is special because the bcdDevice can be matched against a numeric range */
74262 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
74263 static void do_usb_entry(struct usb_device_id *id,
74264 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
74265 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
74266 unsigned char range_lo, unsigned char range_hi,
74267 struct module *mod)
74269 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
74270 for (i = 0; i < count; i++) {
74271 const char *id = (char *)devs[i].id;
74272 char acpi_id[sizeof(devs[0].id)];
74276 buf_printf(&mod->dev_table_buf,
74277 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
74278 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
74280 for (j = 0; j < PNP_MAX_DEVICES; j++) {
74281 const char *id = (char *)card->devs[j].id;
74283 + unsigned int i2, j2;
74287 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
74288 /* add an individual alias for every device entry */
74290 char acpi_id[sizeof(card->devs[0].id)];
74294 buf_printf(&mod->dev_table_buf,
74295 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
74296 @@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
74297 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
74301 + unsigned int i, j;
74303 sprintf(alias, "dmi*");
74305 diff -urNp linux-2.6.32.43/scripts/mod/modpost.c linux-2.6.32.43/scripts/mod/modpost.c
74306 --- linux-2.6.32.43/scripts/mod/modpost.c 2011-03-27 14:31:47.000000000 -0400
74307 +++ linux-2.6.32.43/scripts/mod/modpost.c 2011-07-06 19:53:33.000000000 -0400
74308 @@ -835,6 +835,7 @@ enum mismatch {
74311 EXPORT_TO_INIT_EXIT,
74315 struct sectioncheck {
74316 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
74317 .fromsec = { "__ksymtab*", NULL },
74318 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
74319 .mismatch = EXPORT_TO_INIT_EXIT
74321 +/* Do not reference code from writable data */
74323 + .fromsec = { DATA_SECTIONS, NULL },
74324 + .tosec = { TEXT_SECTIONS, NULL },
74325 + .mismatch = DATA_TO_TEXT
74329 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
74331 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
74333 - if (sym->st_value == addr)
74335 /* Find a symbol nearby - addr are maybe negative */
74336 d = sym->st_value - addr;
74340 d = addr - sym->st_value;
74341 if (d < distance) {
74342 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
74343 "Fix this by removing the %sannotation of %s "
74344 "or drop the export.\n",
74345 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
74346 + case DATA_TO_TEXT:
74349 + "The variable %s references\n"
74350 + "the %s %s%s%s\n",
74351 + fromsym, to, sec2annotation(tosec), tosym, to_p);
74355 /* To get warnings on missing members */
74357 @@ -1495,7 +1510,7 @@ static void section_rel(const char *modn
74358 static void check_sec_ref(struct module *mod, const char *modname,
74359 struct elf_info *elf)
74363 Elf_Shdr *sechdrs = elf->sechdrs;
74365 /* Walk through all sections */
74366 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
74370 -void buf_write(struct buffer *buf, const char *s, int len)
74371 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
74373 if (buf->size - buf->pos < len) {
74374 buf->size += len + SZ;
74375 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
74376 if (fstat(fileno(file), &st) < 0)
74379 - if (st.st_size != b->pos)
74380 + if (st.st_size != (off_t)b->pos)
74383 tmp = NOFAIL(malloc(b->pos));
74384 diff -urNp linux-2.6.32.43/scripts/mod/modpost.h linux-2.6.32.43/scripts/mod/modpost.h
74385 --- linux-2.6.32.43/scripts/mod/modpost.h 2011-03-27 14:31:47.000000000 -0400
74386 +++ linux-2.6.32.43/scripts/mod/modpost.h 2011-04-17 15:56:46.000000000 -0400
74387 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
74393 + unsigned int pos;
74394 + unsigned int size;
74397 void __attribute__((format(printf, 2, 3)))
74398 buf_printf(struct buffer *buf, const char *fmt, ...);
74401 -buf_write(struct buffer *buf, const char *s, int len);
74402 +buf_write(struct buffer *buf, const char *s, unsigned int len);
74405 struct module *next;
74406 diff -urNp linux-2.6.32.43/scripts/mod/sumversion.c linux-2.6.32.43/scripts/mod/sumversion.c
74407 --- linux-2.6.32.43/scripts/mod/sumversion.c 2011-03-27 14:31:47.000000000 -0400
74408 +++ linux-2.6.32.43/scripts/mod/sumversion.c 2011-04-17 15:56:46.000000000 -0400
74409 @@ -455,7 +455,7 @@ static void write_version(const char *fi
74413 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
74414 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
74415 warn("writing sum in %s failed: %s\n",
74416 filename, strerror(errno));
74418 diff -urNp linux-2.6.32.43/scripts/package/mkspec linux-2.6.32.43/scripts/package/mkspec
74419 --- linux-2.6.32.43/scripts/package/mkspec 2011-03-27 14:31:47.000000000 -0400
74420 +++ linux-2.6.32.43/scripts/package/mkspec 2011-07-19 18:19:12.000000000 -0400
74421 @@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM
74422 echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware'
74425 -echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= modules_install'
74426 +echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SRC= modules_install'
74427 echo "%ifarch ia64"
74428 echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE"
74429 echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/"
74430 diff -urNp linux-2.6.32.43/scripts/pnmtologo.c linux-2.6.32.43/scripts/pnmtologo.c
74431 --- linux-2.6.32.43/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0400
74432 +++ linux-2.6.32.43/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0400
74433 @@ -237,14 +237,14 @@ static void write_header(void)
74434 fprintf(out, " * Linux logo %s\n", logoname);
74435 fputs(" */\n\n", out);
74436 fputs("#include <linux/linux_logo.h>\n\n", out);
74437 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
74438 + fprintf(out, "static unsigned char %s_data[] = {\n",
74442 static void write_footer(void)
74444 fputs("\n};\n\n", out);
74445 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
74446 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
74447 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
74448 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
74449 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
74450 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
74451 fputs("\n};\n\n", out);
74453 /* write logo clut */
74454 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
74455 + fprintf(out, "static unsigned char %s_clut[] = {\n",
74458 for (i = 0; i < logo_clutsize; i++) {
74459 diff -urNp linux-2.6.32.43/scripts/tags.sh linux-2.6.32.43/scripts/tags.sh
74460 --- linux-2.6.32.43/scripts/tags.sh 2011-03-27 14:31:47.000000000 -0400
74461 +++ linux-2.6.32.43/scripts/tags.sh 2011-06-07 18:06:04.000000000 -0400
74462 @@ -93,6 +93,11 @@ docscope()
74463 cscope -b -f cscope.out
74468 + all_sources | gtags -f -
74473 all_sources | xargs $1 -a \
74474 @@ -164,6 +169,10 @@ case "$1" in
74485 diff -urNp linux-2.6.32.43/security/capability.c linux-2.6.32.43/security/capability.c
74486 --- linux-2.6.32.43/security/capability.c 2011-03-27 14:31:47.000000000 -0400
74487 +++ linux-2.6.32.43/security/capability.c 2011-04-17 15:56:46.000000000 -0400
74488 @@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
74490 #endif /* CONFIG_AUDIT */
74492 -struct security_operations default_security_ops = {
74493 +struct security_operations default_security_ops __read_only = {
74497 diff -urNp linux-2.6.32.43/security/commoncap.c linux-2.6.32.43/security/commoncap.c
74498 --- linux-2.6.32.43/security/commoncap.c 2011-03-27 14:31:47.000000000 -0400
74499 +++ linux-2.6.32.43/security/commoncap.c 2011-04-17 15:56:46.000000000 -0400
74501 #include <linux/sched.h>
74502 #include <linux/prctl.h>
74503 #include <linux/securebits.h>
74505 +#include <net/sock.h>
74507 * If a non-root user executes a setuid-root binary in
74508 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
74509 @@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
74513 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
74515 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
74517 - NETLINK_CB(skb).eff_cap = current_cap();
74518 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
74522 @@ -582,6 +584,9 @@ int cap_bprm_secureexec(struct linux_bin
74524 const struct cred *cred = current_cred();
74526 + if (gr_acl_enable_at_secure())
74529 if (cred->uid != 0) {
74530 if (bprm->cap_effective)
74532 diff -urNp linux-2.6.32.43/security/integrity/ima/ima_api.c linux-2.6.32.43/security/integrity/ima/ima_api.c
74533 --- linux-2.6.32.43/security/integrity/ima/ima_api.c 2011-03-27 14:31:47.000000000 -0400
74534 +++ linux-2.6.32.43/security/integrity/ima/ima_api.c 2011-04-17 15:56:46.000000000 -0400
74535 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
74538 /* can overflow, only indicator */
74539 - atomic_long_inc(&ima_htable.violations);
74540 + atomic_long_inc_unchecked(&ima_htable.violations);
74542 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
74544 diff -urNp linux-2.6.32.43/security/integrity/ima/ima_fs.c linux-2.6.32.43/security/integrity/ima/ima_fs.c
74545 --- linux-2.6.32.43/security/integrity/ima/ima_fs.c 2011-03-27 14:31:47.000000000 -0400
74546 +++ linux-2.6.32.43/security/integrity/ima/ima_fs.c 2011-04-17 15:56:46.000000000 -0400
74547 @@ -27,12 +27,12 @@
74548 static int valid_policy = 1;
74549 #define TMPBUFLEN 12
74550 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
74551 - loff_t *ppos, atomic_long_t *val)
74552 + loff_t *ppos, atomic_long_unchecked_t *val)
74554 char tmpbuf[TMPBUFLEN];
74557 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
74558 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
74559 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
74562 diff -urNp linux-2.6.32.43/security/integrity/ima/ima.h linux-2.6.32.43/security/integrity/ima/ima.h
74563 --- linux-2.6.32.43/security/integrity/ima/ima.h 2011-03-27 14:31:47.000000000 -0400
74564 +++ linux-2.6.32.43/security/integrity/ima/ima.h 2011-04-17 15:56:46.000000000 -0400
74565 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
74566 extern spinlock_t ima_queue_lock;
74568 struct ima_h_table {
74569 - atomic_long_t len; /* number of stored measurements in the list */
74570 - atomic_long_t violations;
74571 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
74572 + atomic_long_unchecked_t violations;
74573 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
74575 extern struct ima_h_table ima_htable;
74576 diff -urNp linux-2.6.32.43/security/integrity/ima/ima_queue.c linux-2.6.32.43/security/integrity/ima/ima_queue.c
74577 --- linux-2.6.32.43/security/integrity/ima/ima_queue.c 2011-03-27 14:31:47.000000000 -0400
74578 +++ linux-2.6.32.43/security/integrity/ima/ima_queue.c 2011-04-17 15:56:46.000000000 -0400
74579 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
74580 INIT_LIST_HEAD(&qe->later);
74581 list_add_tail_rcu(&qe->later, &ima_measurements);
74583 - atomic_long_inc(&ima_htable.len);
74584 + atomic_long_inc_unchecked(&ima_htable.len);
74585 key = ima_hash_key(entry->digest);
74586 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
74588 diff -urNp linux-2.6.32.43/security/Kconfig linux-2.6.32.43/security/Kconfig
74589 --- linux-2.6.32.43/security/Kconfig 2011-03-27 14:31:47.000000000 -0400
74590 +++ linux-2.6.32.43/security/Kconfig 2011-07-06 19:58:11.000000000 -0400
74593 menu "Security options"
74595 +source grsecurity/Kconfig
74599 + config ARCH_TRACK_EXEC_LIMIT
74602 + config PAX_PER_CPU_PGD
74605 + config TASK_SIZE_MAX_SHIFT
74607 + depends on X86_64
74608 + default 47 if !PAX_PER_CPU_PGD
74609 + default 42 if PAX_PER_CPU_PGD
74611 + config PAX_ENABLE_PAE
74613 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
74616 + bool "Enable various PaX features"
74617 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
74619 + This allows you to enable various PaX features. PaX adds
74620 + intrusion prevention mechanisms to the kernel that reduce
74621 + the risks posed by exploitable memory corruption bugs.
74623 +menu "PaX Control"
74626 +config PAX_SOFTMODE
74627 + bool 'Support soft mode'
74628 + select PAX_PT_PAX_FLAGS
74630 + Enabling this option will allow you to run PaX in soft mode, that
74631 + is, PaX features will not be enforced by default, only on executables
74632 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
74633 + is the only way to mark executables for soft mode use.
74635 + Soft mode can be activated by using the "pax_softmode=1" kernel command
74636 + line option on boot. Furthermore you can control various PaX features
74637 + at runtime via the entries in /proc/sys/kernel/pax.
74640 + bool 'Use legacy ELF header marking'
74642 + Enabling this option will allow you to control PaX features on
74643 + a per executable basis via the 'chpax' utility available at
74644 + http://pax.grsecurity.net/. The control flags will be read from
74645 + an otherwise reserved part of the ELF header. This marking has
74646 + numerous drawbacks (no support for soft-mode, toolchain does not
74647 + know about the non-standard use of the ELF header) therefore it
74648 + has been deprecated in favour of PT_PAX_FLAGS support.
74650 + Note that if you enable PT_PAX_FLAGS marking support as well,
74651 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
74653 +config PAX_PT_PAX_FLAGS
74654 + bool 'Use ELF program header marking'
74656 + Enabling this option will allow you to control PaX features on
74657 + a per executable basis via the 'paxctl' utility available at
74658 + http://pax.grsecurity.net/. The control flags will be read from
74659 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
74660 + has the benefits of supporting both soft mode and being fully
74661 + integrated into the toolchain (the binutils patch is available
74662 + from http://pax.grsecurity.net).
74664 + If your toolchain does not support PT_PAX_FLAGS markings,
74665 + you can create one in most cases with 'paxctl -C'.
74667 + Note that if you enable the legacy EI_PAX marking support as well,
74668 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
74671 + prompt 'MAC system integration'
74672 + default PAX_HAVE_ACL_FLAGS
74674 + Mandatory Access Control systems have the option of controlling
74675 + PaX flags on a per executable basis, choose the method supported
74676 + by your particular system.
74678 + - "none": if your MAC system does not interact with PaX,
74679 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
74680 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
74682 + NOTE: this option is for developers/integrators only.
74684 + config PAX_NO_ACL_FLAGS
74687 + config PAX_HAVE_ACL_FLAGS
74690 + config PAX_HOOK_ACL_FLAGS
74696 +menu "Non-executable pages"
74700 + bool "Enforce non-executable pages"
74701 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
74703 + By design some architectures do not allow for protecting memory
74704 + pages against execution or even if they do, Linux does not make
74705 + use of this feature. In practice this means that if a page is
74706 + readable (such as the stack or heap) it is also executable.
74708 + There is a well known exploit technique that makes use of this
74709 + fact and a common programming mistake where an attacker can
74710 + introduce code of his choice somewhere in the attacked program's
74711 + memory (typically the stack or the heap) and then execute it.
74713 + If the attacked program was running with different (typically
74714 + higher) privileges than that of the attacker, then he can elevate
74715 + his own privilege level (e.g. get a root shell, write to files for
74716 + which he does not have write access to, etc).
74718 + Enabling this option will let you choose from various features
74719 + that prevent the injection and execution of 'foreign' code in
74722 + This will also break programs that rely on the old behaviour and
74723 + expect that dynamically allocated memory via the malloc() family
74724 + of functions is executable (which it is not). Notable examples
74725 + are the XFree86 4.x server, the java runtime and wine.
74727 +config PAX_PAGEEXEC
74728 + bool "Paging based non-executable pages"
74729 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
74730 + select S390_SWITCH_AMODE if S390
74731 + select S390_EXEC_PROTECT if S390
74732 + select ARCH_TRACK_EXEC_LIMIT if X86_32
74734 + This implementation is based on the paging feature of the CPU.
74735 + On i386 without hardware non-executable bit support there is a
74736 + variable but usually low performance impact, however on Intel's
74737 + P4 core based CPUs it is very high so you should not enable this
74738 + for kernels meant to be used on such CPUs.
74740 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
74741 + with hardware non-executable bit support there is no performance
74742 + impact, on ppc the impact is negligible.
74744 + Note that several architectures require various emulations due to
74745 + badly designed userland ABIs, this will cause a performance impact
74746 + but will disappear as soon as userland is fixed. For example, ppc
74747 + userland MUST have been built with secure-plt by a recent toolchain.
74749 +config PAX_SEGMEXEC
74750 + bool "Segmentation based non-executable pages"
74751 + depends on PAX_NOEXEC && X86_32
74753 + This implementation is based on the segmentation feature of the
74754 + CPU and has a very small performance impact, however applications
74755 + will be limited to a 1.5 GB address space instead of the normal
74758 +config PAX_EMUTRAMP
74759 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
74760 + default y if PARISC
74762 + There are some programs and libraries that for one reason or
74763 + another attempt to execute special small code snippets from
74764 + non-executable memory pages. Most notable examples are the
74765 + signal handler return code generated by the kernel itself and
74766 + the GCC trampolines.
74768 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
74769 + such programs will no longer work under your kernel.
74771 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
74772 + utilities to enable trampoline emulation for the affected programs
74773 + yet still have the protection provided by the non-executable pages.
74775 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
74776 + your system will not even boot.
74778 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
74779 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
74780 + for the affected files.
74782 + NOTE: enabling this feature *may* open up a loophole in the
74783 + protection provided by non-executable pages that an attacker
74784 + could abuse. Therefore the best solution is to not have any
74785 + files on your system that would require this option. This can
74786 + be achieved by not using libc5 (which relies on the kernel
74787 + signal handler return code) and not using or rewriting programs
74788 + that make use of the nested function implementation of GCC.
74789 + Skilled users can just fix GCC itself so that it implements
74790 + nested function calls in a way that does not interfere with PaX.
74792 +config PAX_EMUSIGRT
74793 + bool "Automatically emulate sigreturn trampolines"
74794 + depends on PAX_EMUTRAMP && PARISC
74797 + Enabling this option will have the kernel automatically detect
74798 + and emulate signal return trampolines executing on the stack
74799 + that would otherwise lead to task termination.
74801 + This solution is intended as a temporary one for users with
74802 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
74803 + Modula-3 runtime, etc) or executables linked to such, basically
74804 + everything that does not specify its own SA_RESTORER function in
74805 + normal executable memory like glibc 2.1+ does.
74807 + On parisc you MUST enable this option, otherwise your system will
74810 + NOTE: this feature cannot be disabled on a per executable basis
74811 + and since it *does* open up a loophole in the protection provided
74812 + by non-executable pages, the best solution is to not have any
74813 + files on your system that would require this option.
74815 +config PAX_MPROTECT
74816 + bool "Restrict mprotect()"
74817 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
74819 + Enabling this option will prevent programs from
74820 + - changing the executable status of memory pages that were
74821 + not originally created as executable,
74822 + - making read-only executable pages writable again,
74823 + - creating executable pages from anonymous memory,
74824 + - making read-only-after-relocations (RELRO) data pages writable again.
74826 + You should say Y here to complete the protection provided by
74827 + the enforcement of non-executable pages.
74829 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
74830 + this feature on a per file basis.
74832 +config PAX_MPROTECT_COMPAT
74833 + bool "Use legacy/compat protection demoting (read help)"
74834 + depends on PAX_MPROTECT
74837 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
74838 + by sending the proper error code to the application. For some broken
74839 + userland, this can cause problems with Python or other applications. The
74840 + current implementation however allows for applications like clamav to
74841 + detect if JIT compilation/execution is allowed and to fall back gracefully
74842 + to an interpreter-based mode if it does not. While we encourage everyone
74843 + to use the current implementation as-is and push upstream to fix broken
74844 + userland (note that the RWX logging option can assist with this), in some
74845 + environments this may not be possible. Having to disable MPROTECT
74846 + completely on certain binaries reduces the security benefit of PaX,
74847 + so this option is provided for those environments to revert to the old
74850 +config PAX_ELFRELOCS
74851 + bool "Allow ELF text relocations (read help)"
74852 + depends on PAX_MPROTECT
74855 + Non-executable pages and mprotect() restrictions are effective
74856 + in preventing the introduction of new executable code into an
74857 + attacked task's address space. There remain only two venues
74858 + for this kind of attack: if the attacker can execute already
74859 + existing code in the attacked task then he can either have it
74860 + create and mmap() a file containing his code or have it mmap()
74861 + an already existing ELF library that does not have position
74862 + independent code in it and use mprotect() on it to make it
74863 + writable and copy his code there. While protecting against
74864 + the former approach is beyond PaX, the latter can be prevented
74865 + by having only PIC ELF libraries on one's system (which do not
74866 + need to relocate their code). If you are sure this is your case,
74867 + as is the case with all modern Linux distributions, then leave
74868 + this option disabled. You should say 'n' here.
74870 +config PAX_ETEXECRELOCS
74871 + bool "Allow ELF ET_EXEC text relocations"
74872 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
74873 + select PAX_ELFRELOCS
74876 + On some architectures there are incorrectly created applications
74877 + that require text relocations and would not work without enabling
74878 + this option. If you are an alpha, ia64 or parisc user, you should
74879 + enable this option and disable it once you have made sure that
74880 + none of your applications need it.
74883 + bool "Automatically emulate ELF PLT"
74884 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
74887 + Enabling this option will have the kernel automatically detect
74888 + and emulate the Procedure Linkage Table entries in ELF files.
74889 + On some architectures such entries are in writable memory, and
74890 + become non-executable leading to task termination. Therefore
74891 + it is mandatory that you enable this option on alpha, parisc,
74892 + sparc and sparc64, otherwise your system would not even boot.
74894 + NOTE: this feature *does* open up a loophole in the protection
74895 + provided by the non-executable pages, therefore the proper
74896 + solution is to modify the toolchain to produce a PLT that does
74897 + not need to be writable.
74899 +config PAX_DLRESOLVE
74900 + bool 'Emulate old glibc resolver stub'
74901 + depends on PAX_EMUPLT && SPARC
74904 + This option is needed if userland has an old glibc (before 2.4)
74905 + that puts a 'save' instruction into the runtime generated resolver
74906 + stub that needs special emulation.
74908 +config PAX_KERNEXEC
74909 + bool "Enforce non-executable kernel pages"
74910 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
74911 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
74913 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
74914 + that is, enabling this option will make it harder to inject
74915 + and execute 'foreign' code in kernel memory itself.
74917 + Note that on x86_64 kernels there is a known regression when
74918 + this feature and KVM/VMX are both enabled in the host kernel.
74920 +config PAX_KERNEXEC_MODULE_TEXT
74921 + int "Minimum amount of memory reserved for module code"
74923 + depends on PAX_KERNEXEC && X86_32 && MODULES
74925 + Due to implementation details the kernel must reserve a fixed
74926 + amount of memory for module code at compile time that cannot be
74927 + changed at runtime. Here you can specify the minimum amount
74928 + in MB that will be reserved. Due to the same implementation
74929 + details this size will always be rounded up to the next 2/4 MB
74930 + boundary (depends on PAE) so the actually available memory for
74931 + module code will usually be more than this minimum.
74933 + The default 4 MB should be enough for most users but if you have
74934 + an excessive number of modules (e.g., most distribution configs
74935 + compile many drivers as modules) or use huge modules such as
74936 + nvidia's kernel driver, you will need to adjust this amount.
74937 + A good rule of thumb is to look at your currently loaded kernel
74938 + modules and add up their sizes.
74942 +menu "Address Space Layout Randomization"
74946 + bool "Address Space Layout Randomization"
74947 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
74949 + Many if not most exploit techniques rely on the knowledge of
74950 + certain addresses in the attacked program. The following options
74951 + will allow the kernel to apply a certain amount of randomization
74952 + to specific parts of the program thereby forcing an attacker to
74953 + guess them in most cases. Any failed guess will most likely crash
74954 + the attacked program which allows the kernel to detect such attempts
74955 + and react on them. PaX itself provides no reaction mechanisms,
74956 + instead it is strongly encouraged that you make use of Nergal's
74957 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
74958 + (http://www.grsecurity.net/) built-in crash detection features or
74959 + develop one yourself.
74961 + By saying Y here you can choose to randomize the following areas:
74962 + - top of the task's kernel stack
74963 + - top of the task's userland stack
74964 + - base address for mmap() requests that do not specify one
74965 + (this includes all libraries)
74966 + - base address of the main executable
74968 + It is strongly recommended to say Y here as address space layout
74969 + randomization has negligible impact on performance yet it provides
74970 + a very effective protection.
74972 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
74973 + this feature on a per file basis.
74975 +config PAX_RANDKSTACK
74976 + bool "Randomize kernel stack base"
74977 + depends on PAX_ASLR && X86_TSC && X86
74979 + By saying Y here the kernel will randomize every task's kernel
74980 + stack on every system call. This will not only force an attacker
74981 + to guess it but also prevent him from making use of possible
74982 + leaked information about it.
74984 + Since the kernel stack is a rather scarce resource, randomization
74985 + may cause unexpected stack overflows, therefore you should very
74986 + carefully test your system. Note that once enabled in the kernel
74987 + configuration, this feature cannot be disabled on a per file basis.
74989 +config PAX_RANDUSTACK
74990 + bool "Randomize user stack base"
74991 + depends on PAX_ASLR
74993 + By saying Y here the kernel will randomize every task's userland
74994 + stack. The randomization is done in two steps where the second
74995 + one may apply a big amount of shift to the top of the stack and
74996 + cause problems for programs that want to use lots of memory (more
74997 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
74998 + For this reason the second step can be controlled by 'chpax' or
74999 + 'paxctl' on a per file basis.
75001 +config PAX_RANDMMAP
75002 + bool "Randomize mmap() base"
75003 + depends on PAX_ASLR
75005 + By saying Y here the kernel will use a randomized base address for
75006 + mmap() requests that do not specify one themselves. As a result
75007 + all dynamically loaded libraries will appear at random addresses
75008 + and therefore be harder to exploit by a technique where an attacker
75009 + attempts to execute library code for his purposes (e.g. spawn a
75010 + shell from an exploited program that is running at an elevated
75011 + privilege level).
75013 + Furthermore, if a program is relinked as a dynamic ELF file, its
75014 + base address will be randomized as well, completing the full
75015 + randomization of the address space layout. Attacking such programs
75016 + becomes a guess game. You can find an example of doing this at
75017 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
75018 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
75020 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
75021 + feature on a per file basis.
75025 +menu "Miscellaneous hardening features"
75027 +config PAX_MEMORY_SANITIZE
75028 + bool "Sanitize all freed memory"
75030 + By saying Y here the kernel will erase memory pages as soon as they
75031 + are freed. This in turn reduces the lifetime of data stored in the
75032 + pages, making it less likely that sensitive information such as
75033 + passwords, cryptographic secrets, etc stay in memory for too long.
75035 + This is especially useful for programs whose runtime is short, long
75036 + lived processes and the kernel itself benefit from this as long as
75037 + they operate on whole memory pages and ensure timely freeing of pages
75038 + that may hold sensitive information.
75040 + The tradeoff is performance impact, on a single CPU system kernel
75041 + compilation sees a 3% slowdown, other systems and workloads may vary
75042 + and you are advised to test this feature on your expected workload
75043 + before deploying it.
75045 + Note that this feature does not protect data stored in live pages,
75046 + e.g., process memory swapped to disk may stay there for a long time.
75048 +config PAX_MEMORY_STACKLEAK
75049 + bool "Sanitize kernel stack"
75052 + By saying Y here the kernel will erase the kernel stack before it
75053 + returns from a system call. This in turn reduces the information
75054 + that a kernel stack leak bug can reveal.
75056 + Note that such a bug can still leak information that was put on
75057 + the stack by the current system call (the one eventually triggering
75058 + the bug) but traces of earlier system calls on the kernel stack
75059 + cannot leak anymore.
75061 + The tradeoff is performance impact, on a single CPU system kernel
75062 + compilation sees a 1% slowdown, other systems and workloads may vary
75063 + and you are advised to test this feature on your expected workload
75064 + before deploying it.
75066 + Note: full support for this feature requires gcc with plugin support
75067 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
75068 + is not supported). Using older gcc versions means that functions
75069 + with large enough stack frames may leave uninitialized memory behind
75070 + that may be exposed to a later syscall leaking the stack.
75072 +config PAX_MEMORY_UDEREF
75073 + bool "Prevent invalid userland pointer dereference"
75074 + depends on X86 && !UML_X86 && !XEN
75075 + select PAX_PER_CPU_PGD if X86_64
75077 + By saying Y here the kernel will be prevented from dereferencing
75078 + userland pointers in contexts where the kernel expects only kernel
75079 + pointers. This is both a useful runtime debugging feature and a
75080 + security measure that prevents exploiting a class of kernel bugs.
75082 + The tradeoff is that some virtualization solutions may experience
75083 + a huge slowdown and therefore you should not enable this feature
75084 + for kernels meant to run in such environments. Whether a given VM
75085 + solution is affected or not is best determined by simply trying it
75086 + out, the performance impact will be obvious right on boot as this
75087 + mechanism engages from very early on. A good rule of thumb is that
75088 + VMs running on CPUs without hardware virtualization support (i.e.,
75089 + the majority of IA-32 CPUs) will likely experience the slowdown.
75091 +config PAX_REFCOUNT
75092 + bool "Prevent various kernel object reference counter overflows"
75093 + depends on GRKERNSEC && (X86 || SPARC64)
75095 + By saying Y here the kernel will detect and prevent overflowing
75096 + various (but not all) kinds of object reference counters. Such
75097 + overflows can normally occur due to bugs only and are often, if
75098 + not always, exploitable.
75100 + The tradeoff is that data structures protected by an overflowed
75101 + refcount will never be freed and therefore will leak memory. Note
75102 + that this leak also happens even without this protection but in
75103 + that case the overflow can eventually trigger the freeing of the
75104 + data structure while it is still being used elsewhere, resulting
75105 + in the exploitable situation that this feature prevents.
75107 + Since this has a negligible performance impact, you should enable
75110 +config PAX_USERCOPY
75111 + bool "Harden heap object copies between kernel and userland"
75112 + depends on X86 || PPC || SPARC || ARM
75113 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
75115 + By saying Y here the kernel will enforce the size of heap objects
75116 + when they are copied in either direction between the kernel and
75117 + userland, even if only a part of the heap object is copied.
75119 + Specifically, this checking prevents information leaking from the
75120 + kernel heap during kernel to userland copies (if the kernel heap
75121 + object is otherwise fully initialized) and prevents kernel heap
75122 + overflows during userland to kernel copies.
75124 + Note that the current implementation provides the strictest bounds
75125 + checks for the SLUB allocator.
75127 + Enabling this option also enables per-slab cache protection against
75128 + data in a given cache being copied into/out of via userland
75129 + accessors. Though the whitelist of regions will be reduced over
75130 + time, it notably protects important data structures like task structs.
75133 + If frame pointers are enabled on x86, this option will also
75134 + restrict copies into and out of the kernel stack to local variables
75135 + within a single frame.
75137 + Since this has a negligible performance impact, you should enable
75145 bool "Enable access key retention support"
75147 @@ -146,7 +695,7 @@ config INTEL_TXT
75148 config LSM_MMAP_MIN_ADDR
75149 int "Low address space for LSM to protect from user allocation"
75150 depends on SECURITY && SECURITY_SELINUX
75154 This is the portion of low virtual memory which should be protected
75155 from userspace allocation. Keeping a user from writing to low pages
75156 diff -urNp linux-2.6.32.43/security/keys/keyring.c linux-2.6.32.43/security/keys/keyring.c
75157 --- linux-2.6.32.43/security/keys/keyring.c 2011-03-27 14:31:47.000000000 -0400
75158 +++ linux-2.6.32.43/security/keys/keyring.c 2011-04-18 22:03:00.000000000 -0400
75159 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
75162 for (loop = 0; loop < klist->nkeys; loop++) {
75163 + key_serial_t serial;
75164 key = klist->keys[loop];
75165 + serial = key->serial;
75167 tmp = sizeof(key_serial_t);
75171 - if (copy_to_user(buffer,
75174 + if (copy_to_user(buffer, &serial, tmp))
75178 diff -urNp linux-2.6.32.43/security/min_addr.c linux-2.6.32.43/security/min_addr.c
75179 --- linux-2.6.32.43/security/min_addr.c 2011-03-27 14:31:47.000000000 -0400
75180 +++ linux-2.6.32.43/security/min_addr.c 2011-04-17 15:56:46.000000000 -0400
75181 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
75183 static void update_mmap_min_addr(void)
75186 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
75187 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
75188 mmap_min_addr = dac_mmap_min_addr;
75189 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
75191 mmap_min_addr = dac_mmap_min_addr;
75197 diff -urNp linux-2.6.32.43/security/root_plug.c linux-2.6.32.43/security/root_plug.c
75198 --- linux-2.6.32.43/security/root_plug.c 2011-03-27 14:31:47.000000000 -0400
75199 +++ linux-2.6.32.43/security/root_plug.c 2011-04-17 15:56:46.000000000 -0400
75200 @@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
75204 -static struct security_operations rootplug_security_ops = {
75205 +static struct security_operations rootplug_security_ops __read_only = {
75206 .bprm_check_security = rootplug_bprm_check_security,
75209 diff -urNp linux-2.6.32.43/security/security.c linux-2.6.32.43/security/security.c
75210 --- linux-2.6.32.43/security/security.c 2011-03-27 14:31:47.000000000 -0400
75211 +++ linux-2.6.32.43/security/security.c 2011-04-17 15:56:46.000000000 -0400
75212 @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
75213 extern struct security_operations default_security_ops;
75214 extern void security_fixup_ops(struct security_operations *ops);
75216 -struct security_operations *security_ops; /* Initialized to NULL */
75217 +struct security_operations *security_ops __read_only; /* Initialized to NULL */
75219 static inline int verify(struct security_operations *ops)
75221 @@ -106,7 +106,7 @@ int __init security_module_enable(struct
75222 * If there is already a security module registered with the kernel,
75223 * an error will be returned. Otherwise %0 is returned on success.
75225 -int register_security(struct security_operations *ops)
75226 +int __init register_security(struct security_operations *ops)
75229 printk(KERN_DEBUG "%s could not verify "
75230 diff -urNp linux-2.6.32.43/security/selinux/hooks.c linux-2.6.32.43/security/selinux/hooks.c
75231 --- linux-2.6.32.43/security/selinux/hooks.c 2011-03-27 14:31:47.000000000 -0400
75232 +++ linux-2.6.32.43/security/selinux/hooks.c 2011-04-17 15:56:46.000000000 -0400
75233 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
75234 * Minimal support for a secondary security module,
75235 * just to allow the use of the capability module.
75237 -static struct security_operations *secondary_ops;
75238 +static struct security_operations *secondary_ops __read_only;
75240 /* Lists of inode and superblock security structures initialized
75241 before the policy was loaded. */
75242 @@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
75246 -static struct security_operations selinux_ops = {
75247 +static struct security_operations selinux_ops __read_only = {
75250 .ptrace_access_check = selinux_ptrace_access_check,
75251 @@ -5841,7 +5841,9 @@ int selinux_disable(void)
75254 /* Reset security_ops to the secondary module, dummy or capability. */
75255 + pax_open_kernel();
75256 security_ops = secondary_ops;
75257 + pax_close_kernel();
75259 /* Unregister netfilter hooks. */
75260 selinux_nf_ip_exit();
75261 diff -urNp linux-2.6.32.43/security/selinux/include/xfrm.h linux-2.6.32.43/security/selinux/include/xfrm.h
75262 --- linux-2.6.32.43/security/selinux/include/xfrm.h 2011-03-27 14:31:47.000000000 -0400
75263 +++ linux-2.6.32.43/security/selinux/include/xfrm.h 2011-05-18 20:09:37.000000000 -0400
75264 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
75266 static inline void selinux_xfrm_notify_policyload(void)
75268 - atomic_inc(&flow_cache_genid);
75269 + atomic_inc_unchecked(&flow_cache_genid);
75272 static inline int selinux_xfrm_enabled(void)
75273 diff -urNp linux-2.6.32.43/security/selinux/ss/services.c linux-2.6.32.43/security/selinux/ss/services.c
75274 --- linux-2.6.32.43/security/selinux/ss/services.c 2011-03-27 14:31:47.000000000 -0400
75275 +++ linux-2.6.32.43/security/selinux/ss/services.c 2011-05-16 21:46:57.000000000 -0400
75276 @@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
75278 struct policy_file file = { data, len }, *fp = &file;
75280 + pax_track_stack();
75282 if (!ss_initialized) {
75283 avtab_cache_init();
75284 if (policydb_read(&policydb, fp)) {
75285 diff -urNp linux-2.6.32.43/security/smack/smack_lsm.c linux-2.6.32.43/security/smack/smack_lsm.c
75286 --- linux-2.6.32.43/security/smack/smack_lsm.c 2011-03-27 14:31:47.000000000 -0400
75287 +++ linux-2.6.32.43/security/smack/smack_lsm.c 2011-04-17 15:56:46.000000000 -0400
75288 @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
75292 -struct security_operations smack_ops = {
75293 +struct security_operations smack_ops __read_only = {
75296 .ptrace_access_check = smack_ptrace_access_check,
75297 diff -urNp linux-2.6.32.43/security/tomoyo/tomoyo.c linux-2.6.32.43/security/tomoyo/tomoyo.c
75298 --- linux-2.6.32.43/security/tomoyo/tomoyo.c 2011-03-27 14:31:47.000000000 -0400
75299 +++ linux-2.6.32.43/security/tomoyo/tomoyo.c 2011-04-17 15:56:46.000000000 -0400
75300 @@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
75301 * tomoyo_security_ops is a "struct security_operations" which is used for
75302 * registering TOMOYO.
75304 -static struct security_operations tomoyo_security_ops = {
75305 +static struct security_operations tomoyo_security_ops __read_only = {
75307 .cred_alloc_blank = tomoyo_cred_alloc_blank,
75308 .cred_prepare = tomoyo_cred_prepare,
75309 diff -urNp linux-2.6.32.43/sound/aoa/codecs/onyx.c linux-2.6.32.43/sound/aoa/codecs/onyx.c
75310 --- linux-2.6.32.43/sound/aoa/codecs/onyx.c 2011-03-27 14:31:47.000000000 -0400
75311 +++ linux-2.6.32.43/sound/aoa/codecs/onyx.c 2011-04-17 15:56:46.000000000 -0400
75312 @@ -53,7 +53,7 @@ struct onyx {
75317 + local_t open_count;
75318 struct codec_info *codec_info;
75320 /* mutex serializes concurrent access to the device
75321 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
75322 struct onyx *onyx = cii->codec_data;
75324 mutex_lock(&onyx->mutex);
75325 - onyx->open_count++;
75326 + local_inc(&onyx->open_count);
75327 mutex_unlock(&onyx->mutex);
75330 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
75331 struct onyx *onyx = cii->codec_data;
75333 mutex_lock(&onyx->mutex);
75334 - onyx->open_count--;
75335 - if (!onyx->open_count)
75336 + if (local_dec_and_test(&onyx->open_count))
75337 onyx->spdif_locked = onyx->analog_locked = 0;
75338 mutex_unlock(&onyx->mutex);
75340 diff -urNp linux-2.6.32.43/sound/aoa/codecs/onyx.h linux-2.6.32.43/sound/aoa/codecs/onyx.h
75341 --- linux-2.6.32.43/sound/aoa/codecs/onyx.h 2011-03-27 14:31:47.000000000 -0400
75342 +++ linux-2.6.32.43/sound/aoa/codecs/onyx.h 2011-04-17 15:56:46.000000000 -0400
75344 #include <linux/i2c.h>
75345 #include <asm/pmac_low_i2c.h>
75346 #include <asm/prom.h>
75347 +#include <asm/local.h>
75349 /* PCM3052 register definitions */
75351 diff -urNp linux-2.6.32.43/sound/core/seq/seq_device.c linux-2.6.32.43/sound/core/seq/seq_device.c
75352 --- linux-2.6.32.43/sound/core/seq/seq_device.c 2011-03-27 14:31:47.000000000 -0400
75353 +++ linux-2.6.32.43/sound/core/seq/seq_device.c 2011-08-05 20:33:55.000000000 -0400
75354 @@ -63,7 +63,7 @@ struct ops_list {
75355 int argsize; /* argument size */
75358 - struct snd_seq_dev_ops ops;
75359 + struct snd_seq_dev_ops *ops;
75361 /* registred devices */
75362 struct list_head dev_list; /* list of devices */
75363 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
75365 mutex_lock(&ops->reg_mutex);
75366 /* copy driver operators */
75367 - ops->ops = *entry;
75368 + ops->ops = entry;
75369 ops->driver |= DRIVER_LOADED;
75370 ops->argsize = argsize;
75372 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
75373 dev->name, ops->id, ops->argsize, dev->argsize);
75376 - if (ops->ops.init_device(dev) >= 0) {
75377 + if (ops->ops->init_device(dev) >= 0) {
75378 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
75379 ops->num_init_devices++;
75381 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
75382 dev->name, ops->id, ops->argsize, dev->argsize);
75385 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
75386 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
75387 dev->status = SNDRV_SEQ_DEVICE_FREE;
75388 dev->driver_data = NULL;
75389 ops->num_init_devices--;
75390 diff -urNp linux-2.6.32.43/sound/drivers/mts64.c linux-2.6.32.43/sound/drivers/mts64.c
75391 --- linux-2.6.32.43/sound/drivers/mts64.c 2011-03-27 14:31:47.000000000 -0400
75392 +++ linux-2.6.32.43/sound/drivers/mts64.c 2011-04-17 15:56:46.000000000 -0400
75394 #include <sound/initval.h>
75395 #include <sound/rawmidi.h>
75396 #include <sound/control.h>
75397 +#include <asm/local.h>
75399 #define CARD_NAME "Miditerminal 4140"
75400 #define DRIVER_NAME "MTS64"
75401 @@ -65,7 +66,7 @@ struct mts64 {
75402 struct pardevice *pardev;
75403 int pardev_claimed;
75406 + local_t open_count;
75407 int current_midi_output_port;
75408 int current_midi_input_port;
75409 u8 mode[MTS64_NUM_INPUT_PORTS];
75410 @@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
75412 struct mts64 *mts = substream->rmidi->private_data;
75414 - if (mts->open_count == 0) {
75415 + if (local_read(&mts->open_count) == 0) {
75416 /* We don't need a spinlock here, because this is just called
75417 if the device has not been opened before.
75418 So there aren't any IRQs from the device */
75419 @@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
75423 - ++(mts->open_count);
75424 + local_inc(&mts->open_count);
75428 @@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
75429 struct mts64 *mts = substream->rmidi->private_data;
75430 unsigned long flags;
75432 - --(mts->open_count);
75433 - if (mts->open_count == 0) {
75434 + if (local_dec_return(&mts->open_count) == 0) {
75435 /* We need the spinlock_irqsave here because we can still
75436 have IRQs at this point */
75437 spin_lock_irqsave(&mts->lock, flags);
75438 @@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
75442 - } else if (mts->open_count < 0)
75443 - mts->open_count = 0;
75444 + } else if (local_read(&mts->open_count) < 0)
75445 + local_set(&mts->open_count, 0);
75449 diff -urNp linux-2.6.32.43/sound/drivers/opl4/opl4_lib.c linux-2.6.32.43/sound/drivers/opl4/opl4_lib.c
75450 --- linux-2.6.32.43/sound/drivers/opl4/opl4_lib.c 2011-03-27 14:31:47.000000000 -0400
75451 +++ linux-2.6.32.43/sound/drivers/opl4/opl4_lib.c 2011-08-05 20:33:55.000000000 -0400
75452 @@ -27,7 +27,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
75453 MODULE_DESCRIPTION("OPL4 driver");
75454 MODULE_LICENSE("GPL");
75456 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
75457 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
75460 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
75461 diff -urNp linux-2.6.32.43/sound/drivers/portman2x4.c linux-2.6.32.43/sound/drivers/portman2x4.c
75462 --- linux-2.6.32.43/sound/drivers/portman2x4.c 2011-03-27 14:31:47.000000000 -0400
75463 +++ linux-2.6.32.43/sound/drivers/portman2x4.c 2011-04-17 15:56:46.000000000 -0400
75465 #include <sound/initval.h>
75466 #include <sound/rawmidi.h>
75467 #include <sound/control.h>
75468 +#include <asm/local.h>
75470 #define CARD_NAME "Portman 2x4"
75471 #define DRIVER_NAME "portman"
75472 @@ -83,7 +84,7 @@ struct portman {
75473 struct pardevice *pardev;
75474 int pardev_claimed;
75477 + local_t open_count;
75478 int mode[PORTMAN_NUM_INPUT_PORTS];
75479 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
75481 diff -urNp linux-2.6.32.43/sound/isa/cmi8330.c linux-2.6.32.43/sound/isa/cmi8330.c
75482 --- linux-2.6.32.43/sound/isa/cmi8330.c 2011-03-27 14:31:47.000000000 -0400
75483 +++ linux-2.6.32.43/sound/isa/cmi8330.c 2011-08-05 20:33:55.000000000 -0400
75484 @@ -455,16 +455,16 @@ static int __devinit snd_cmi8330_pcm(str
75487 ops = snd_sb16dsp_get_pcm_ops(CMI_SB_STREAM);
75488 - chip->streams[CMI_SB_STREAM].ops = *ops;
75489 + memcpy((void *)&chip->streams[CMI_SB_STREAM].ops, ops, sizeof(*ops));
75490 chip->streams[CMI_SB_STREAM].open = ops->open;
75491 - chip->streams[CMI_SB_STREAM].ops.open = cmi_open_callbacks[CMI_SB_STREAM];
75492 + *(void **)&chip->streams[CMI_SB_STREAM].ops.open = cmi_open_callbacks[CMI_SB_STREAM];
75493 chip->streams[CMI_SB_STREAM].private_data = chip->sb;
75496 ops = snd_wss_get_pcm_ops(CMI_AD_STREAM);
75497 - chip->streams[CMI_AD_STREAM].ops = *ops;
75498 + memcpy((void *)&chip->streams[CMI_AD_STREAM].ops, ops, sizeof(*ops));
75499 chip->streams[CMI_AD_STREAM].open = ops->open;
75500 - chip->streams[CMI_AD_STREAM].ops.open = cmi_open_callbacks[CMI_AD_STREAM];
75501 + *(void **)&chip->streams[CMI_AD_STREAM].ops.open = cmi_open_callbacks[CMI_AD_STREAM];
75502 chip->streams[CMI_AD_STREAM].private_data = chip->wss;
75504 snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &chip->streams[SNDRV_PCM_STREAM_PLAYBACK].ops);
75505 diff -urNp linux-2.6.32.43/sound/oss/sb_audio.c linux-2.6.32.43/sound/oss/sb_audio.c
75506 --- linux-2.6.32.43/sound/oss/sb_audio.c 2011-03-27 14:31:47.000000000 -0400
75507 +++ linux-2.6.32.43/sound/oss/sb_audio.c 2011-04-17 15:56:46.000000000 -0400
75508 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
75509 buf16 = (signed short *)(localbuf + localoffs);
75512 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
75513 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
75514 if (copy_from_user(lbuf8,
75515 userbuf+useroffs + p,
75517 diff -urNp linux-2.6.32.43/sound/oss/swarm_cs4297a.c linux-2.6.32.43/sound/oss/swarm_cs4297a.c
75518 --- linux-2.6.32.43/sound/oss/swarm_cs4297a.c 2011-03-27 14:31:47.000000000 -0400
75519 +++ linux-2.6.32.43/sound/oss/swarm_cs4297a.c 2011-04-17 15:56:46.000000000 -0400
75520 @@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
75522 struct cs4297a_state *s;
75526 #ifndef CONFIG_BCM_CS4297A_CSWARM
75528 @@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
75530 char *sb1250_duart_present;
75537 val = SOUND_MASK_LINE;
75538 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
75539 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
75540 val = initvol[i].vol;
75541 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
75544 // cs4297a_write_ac97(s, 0x18, 0x0808);
75546 // cs4297a_write_ac97(s, 0x5e, 0x180);
75547 cs4297a_write_ac97(s, 0x02, 0x0808);
75548 cs4297a_write_ac97(s, 0x18, 0x0808);
75552 list_add(&s->list, &cs4297a_devs);
75554 diff -urNp linux-2.6.32.43/sound/pci/ac97/ac97_codec.c linux-2.6.32.43/sound/pci/ac97/ac97_codec.c
75555 --- linux-2.6.32.43/sound/pci/ac97/ac97_codec.c 2011-03-27 14:31:47.000000000 -0400
75556 +++ linux-2.6.32.43/sound/pci/ac97/ac97_codec.c 2011-04-17 15:56:46.000000000 -0400
75557 @@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
75560 /* build_ops to do nothing */
75561 -static struct snd_ac97_build_ops null_build_ops;
75562 +static const struct snd_ac97_build_ops null_build_ops;
75564 #ifdef CONFIG_SND_AC97_POWER_SAVE
75565 static void do_update_power(struct work_struct *work)
75566 diff -urNp linux-2.6.32.43/sound/pci/ac97/ac97_patch.c linux-2.6.32.43/sound/pci/ac97/ac97_patch.c
75567 --- linux-2.6.32.43/sound/pci/ac97/ac97_patch.c 2011-03-27 14:31:47.000000000 -0400
75568 +++ linux-2.6.32.43/sound/pci/ac97/ac97_patch.c 2011-04-23 12:56:12.000000000 -0400
75569 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
75573 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
75574 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
75575 .build_spdif = patch_yamaha_ymf743_build_spdif,
75576 .build_3d = patch_yamaha_ymf7x3_3d,
75578 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
75582 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
75583 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
75584 .build_3d = patch_yamaha_ymf7x3_3d,
75585 .build_post_spdif = patch_yamaha_ymf753_post_spdif
75587 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
75591 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
75592 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
75593 .build_specific = patch_wolfson_wm9703_specific,
75596 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
75600 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
75601 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
75602 .build_specific = patch_wolfson_wm9704_specific,
75605 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
75609 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
75610 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
75611 .build_specific = patch_wolfson_wm9705_specific,
75614 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
75618 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
75619 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
75620 .build_specific = patch_wolfson_wm9711_specific,
75623 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
75627 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
75628 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
75629 .build_specific = patch_wolfson_wm9713_specific,
75630 .build_3d = patch_wolfson_wm9713_3d,
75632 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
75636 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
75637 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
75638 .build_3d = patch_sigmatel_stac9700_3d,
75639 .build_specific = patch_sigmatel_stac97xx_specific
75641 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
75642 return patch_sigmatel_stac97xx_specific(ac97);
75645 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
75646 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
75647 .build_3d = patch_sigmatel_stac9708_3d,
75648 .build_specific = patch_sigmatel_stac9708_specific
75650 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
75654 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
75655 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
75656 .build_3d = patch_sigmatel_stac9700_3d,
75657 .build_specific = patch_sigmatel_stac9758_specific
75659 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
75663 -static struct snd_ac97_build_ops patch_cirrus_ops = {
75664 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
75665 .build_spdif = patch_cirrus_build_spdif
75668 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
75672 -static struct snd_ac97_build_ops patch_conexant_ops = {
75673 +static const struct snd_ac97_build_ops patch_conexant_ops = {
75674 .build_spdif = patch_conexant_build_spdif
75677 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
75681 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
75682 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
75684 .resume = ad18xx_resume
75686 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
75690 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
75691 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
75692 .build_specific = &patch_ad1885_specific,
75694 .resume = ad18xx_resume
75695 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
75699 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
75700 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
75701 .build_specific = &patch_ad1886_specific,
75703 .resume = ad18xx_resume
75704 @@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
75705 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
75708 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
75709 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
75710 .build_post_spdif = patch_ad198x_post_spdif,
75711 .build_specific = patch_ad1981a_specific,
75713 @@ -1951,7 +1951,7 @@ static int patch_ad1981b_specific(struct
75714 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
75717 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
75718 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
75719 .build_post_spdif = patch_ad198x_post_spdif,
75720 .build_specific = patch_ad1981b_specific,
75722 @@ -2090,7 +2090,7 @@ static int patch_ad1888_specific(struct
75723 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
75726 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
75727 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
75728 .build_post_spdif = patch_ad198x_post_spdif,
75729 .build_specific = patch_ad1888_specific,
75731 @@ -2139,7 +2139,7 @@ static int patch_ad1980_specific(struct
75732 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
75735 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
75736 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
75737 .build_post_spdif = patch_ad198x_post_spdif,
75738 .build_specific = patch_ad1980_specific,
75740 @@ -2254,7 +2254,7 @@ static int patch_ad1985_specific(struct
75741 ARRAY_SIZE(snd_ac97_ad1985_controls));
75744 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
75745 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
75746 .build_post_spdif = patch_ad198x_post_spdif,
75747 .build_specific = patch_ad1985_specific,
75749 @@ -2546,7 +2546,7 @@ static int patch_ad1986_specific(struct
75750 ARRAY_SIZE(snd_ac97_ad1985_controls));
75753 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
75754 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
75755 .build_post_spdif = patch_ad198x_post_spdif,
75756 .build_specific = patch_ad1986_specific,
75758 @@ -2651,7 +2651,7 @@ static int patch_alc650_specific(struct
75762 -static struct snd_ac97_build_ops patch_alc650_ops = {
75763 +static const struct snd_ac97_build_ops patch_alc650_ops = {
75764 .build_specific = patch_alc650_specific,
75765 .update_jacks = alc650_update_jacks
75767 @@ -2803,7 +2803,7 @@ static int patch_alc655_specific(struct
75771 -static struct snd_ac97_build_ops patch_alc655_ops = {
75772 +static const struct snd_ac97_build_ops patch_alc655_ops = {
75773 .build_specific = patch_alc655_specific,
75774 .update_jacks = alc655_update_jacks
75776 @@ -2915,7 +2915,7 @@ static int patch_alc850_specific(struct
75780 -static struct snd_ac97_build_ops patch_alc850_ops = {
75781 +static const struct snd_ac97_build_ops patch_alc850_ops = {
75782 .build_specific = patch_alc850_specific,
75783 .update_jacks = alc850_update_jacks
75785 @@ -2977,7 +2977,7 @@ static int patch_cm9738_specific(struct
75786 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
75789 -static struct snd_ac97_build_ops patch_cm9738_ops = {
75790 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
75791 .build_specific = patch_cm9738_specific,
75792 .update_jacks = cm9738_update_jacks
75794 @@ -3068,7 +3068,7 @@ static int patch_cm9739_post_spdif(struc
75795 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
75798 -static struct snd_ac97_build_ops patch_cm9739_ops = {
75799 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
75800 .build_specific = patch_cm9739_specific,
75801 .build_post_spdif = patch_cm9739_post_spdif,
75802 .update_jacks = cm9739_update_jacks
75803 @@ -3242,7 +3242,7 @@ static int patch_cm9761_specific(struct
75804 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
75807 -static struct snd_ac97_build_ops patch_cm9761_ops = {
75808 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
75809 .build_specific = patch_cm9761_specific,
75810 .build_post_spdif = patch_cm9761_post_spdif,
75811 .update_jacks = cm9761_update_jacks
75812 @@ -3338,7 +3338,7 @@ static int patch_cm9780_specific(struct
75813 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
75816 -static struct snd_ac97_build_ops patch_cm9780_ops = {
75817 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
75818 .build_specific = patch_cm9780_specific,
75819 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
75821 @@ -3458,7 +3458,7 @@ static int patch_vt1616_specific(struct
75825 -static struct snd_ac97_build_ops patch_vt1616_ops = {
75826 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
75827 .build_specific = patch_vt1616_specific
75830 @@ -3812,7 +3812,7 @@ static int patch_it2646_specific(struct
75834 -static struct snd_ac97_build_ops patch_it2646_ops = {
75835 +static const struct snd_ac97_build_ops patch_it2646_ops = {
75836 .build_specific = patch_it2646_specific,
75837 .update_jacks = it2646_update_jacks
75839 @@ -3846,7 +3846,7 @@ static int patch_si3036_specific(struct
75843 -static struct snd_ac97_build_ops patch_si3036_ops = {
75844 +static const struct snd_ac97_build_ops patch_si3036_ops = {
75845 .build_specific = patch_si3036_specific,
75848 @@ -3913,7 +3913,7 @@ static int patch_ucb1400_specific(struct
75852 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
75853 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
75854 .build_specific = patch_ucb1400_specific,
75857 diff -urNp linux-2.6.32.43/sound/pci/hda/hda_codec.h linux-2.6.32.43/sound/pci/hda/hda_codec.h
75858 --- linux-2.6.32.43/sound/pci/hda/hda_codec.h 2011-03-27 14:31:47.000000000 -0400
75859 +++ linux-2.6.32.43/sound/pci/hda/hda_codec.h 2011-08-05 20:33:55.000000000 -0400
75860 @@ -580,7 +580,7 @@ struct hda_bus_ops {
75861 /* notify power-up/down from codec to controller */
75862 void (*pm_notify)(struct hda_bus *bus);
75867 /* template to pass to the bus constructor */
75868 struct hda_bus_template {
75869 @@ -705,7 +705,7 @@ struct hda_pcm_ops {
75870 struct snd_pcm_substream *substream);
75871 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
75872 struct snd_pcm_substream *substream);
75876 /* PCM information for each substream */
75877 struct hda_pcm_stream {
75878 diff -urNp linux-2.6.32.43/sound/pci/hda/hda_generic.c linux-2.6.32.43/sound/pci/hda/hda_generic.c
75879 --- linux-2.6.32.43/sound/pci/hda/hda_generic.c 2011-03-27 14:31:47.000000000 -0400
75880 +++ linux-2.6.32.43/sound/pci/hda/hda_generic.c 2011-08-05 20:33:55.000000000 -0400
75881 @@ -1097,7 +1097,7 @@ int snd_hda_parse_generic_codec(struct h
75882 (err = parse_output(codec)) < 0)
75885 - codec->patch_ops = generic_patch_ops;
75886 + memcpy((void *)&codec->patch_ops, &generic_patch_ops, sizeof(generic_patch_ops));
75890 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_analog.c linux-2.6.32.43/sound/pci/hda/patch_analog.c
75891 --- linux-2.6.32.43/sound/pci/hda/patch_analog.c 2011-03-27 14:31:47.000000000 -0400
75892 +++ linux-2.6.32.43/sound/pci/hda/patch_analog.c 2011-08-05 20:33:55.000000000 -0400
75893 @@ -1069,7 +1069,7 @@ static int patch_ad1986a(struct hda_code
75895 spec->vmaster_nid = 0x1b;
75897 - codec->patch_ops = ad198x_patch_ops;
75898 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
75900 /* override some parameters */
75901 board_config = snd_hda_check_board_config(codec, AD1986A_MODELS,
75902 @@ -1120,8 +1120,8 @@ static int patch_ad1986a(struct hda_code
75903 if (!is_jack_available(codec, 0x25))
75904 spec->multiout.dig_out_nid = 0;
75905 spec->input_mux = &ad1986a_automic_capture_source;
75906 - codec->patch_ops.unsol_event = ad1986a_automic_unsol_event;
75907 - codec->patch_ops.init = ad1986a_automic_init;
75908 + *(void **)&codec->patch_ops.unsol_event = ad1986a_automic_unsol_event;
75909 + *(void **)&codec->patch_ops.init = ad1986a_automic_init;
75911 case AD1986A_SAMSUNG_P50:
75912 spec->num_mixers = 2;
75913 @@ -1137,8 +1137,8 @@ static int patch_ad1986a(struct hda_code
75914 if (!is_jack_available(codec, 0x25))
75915 spec->multiout.dig_out_nid = 0;
75916 spec->input_mux = &ad1986a_automic_capture_source;
75917 - codec->patch_ops.unsol_event = ad1986a_samsung_p50_unsol_event;
75918 - codec->patch_ops.init = ad1986a_samsung_p50_init;
75919 + *(void **)&codec->patch_ops.unsol_event = ad1986a_samsung_p50_unsol_event;
75920 + *(void **)&codec->patch_ops.init = ad1986a_samsung_p50_init;
75922 case AD1986A_LAPTOP_AUTOMUTE:
75923 spec->num_mixers = 3;
75924 @@ -1154,8 +1154,8 @@ static int patch_ad1986a(struct hda_code
75925 if (!is_jack_available(codec, 0x25))
75926 spec->multiout.dig_out_nid = 0;
75927 spec->input_mux = &ad1986a_laptop_eapd_capture_source;
75928 - codec->patch_ops.unsol_event = ad1986a_hp_unsol_event;
75929 - codec->patch_ops.init = ad1986a_hp_init;
75930 + *(void **)&codec->patch_ops.unsol_event = ad1986a_hp_unsol_event;
75931 + *(void **)&codec->patch_ops.init = ad1986a_hp_init;
75932 /* Lenovo N100 seems to report the reversed bit
75933 * for HP jack-sensing
75935 @@ -1363,7 +1363,7 @@ static int patch_ad1983(struct hda_codec
75937 spec->vmaster_nid = 0x05;
75939 - codec->patch_ops = ad198x_patch_ops;
75940 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
75944 @@ -1769,7 +1769,7 @@ static int patch_ad1981(struct hda_codec
75946 spec->vmaster_nid = 0x05;
75948 - codec->patch_ops = ad198x_patch_ops;
75949 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
75951 /* override some parameters */
75952 board_config = snd_hda_check_board_config(codec, AD1981_MODELS,
75953 @@ -1783,8 +1783,8 @@ static int patch_ad1981(struct hda_codec
75954 spec->multiout.dig_out_nid = 0;
75955 spec->input_mux = &ad1981_hp_capture_source;
75957 - codec->patch_ops.init = ad1981_hp_init;
75958 - codec->patch_ops.unsol_event = ad1981_hp_unsol_event;
75959 + *(void **)&codec->patch_ops.init = ad1981_hp_init;
75960 + *(void **)&codec->patch_ops.unsol_event = ad1981_hp_unsol_event;
75962 case AD1981_THINKPAD:
75963 spec->mixers[0] = ad1981_thinkpad_mixers;
75964 @@ -1805,8 +1805,8 @@ static int patch_ad1981(struct hda_codec
75965 spec->init_verbs[1] = ad1981_toshiba_init_verbs;
75966 spec->multiout.dig_out_nid = 0;
75967 spec->input_mux = &ad1981_hp_capture_source;
75968 - codec->patch_ops.init = ad1981_hp_init;
75969 - codec->patch_ops.unsol_event = ad1981_hp_unsol_event;
75970 + *(void **)&codec->patch_ops.init = ad1981_hp_init;
75971 + *(void **)&codec->patch_ops.unsol_event = ad1981_hp_unsol_event;
75975 @@ -3096,14 +3096,14 @@ static int patch_ad1988(struct hda_codec
75976 if (spec->dig_in_nid && codec->vendor_id < 0x11d4989a)
75977 spec->mixers[spec->num_mixers++] = ad1988_spdif_in_mixers;
75979 - codec->patch_ops = ad198x_patch_ops;
75980 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
75981 switch (board_config) {
75983 - codec->patch_ops.init = ad1988_auto_init;
75984 + *(void **)&codec->patch_ops.init = ad1988_auto_init;
75986 case AD1988_LAPTOP:
75987 case AD1988_LAPTOP_DIG:
75988 - codec->patch_ops.unsol_event = ad1988_laptop_unsol_event;
75989 + *(void **)&codec->patch_ops.unsol_event = ad1988_laptop_unsol_event;
75992 #ifdef CONFIG_SND_HDA_POWER_SAVE
75993 @@ -3321,7 +3321,7 @@ static int patch_ad1884(struct hda_codec
75994 /* we need to cover all playback volumes */
75995 spec->slave_vols = ad1884_slave_vols;
75997 - codec->patch_ops = ad198x_patch_ops;
75998 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
76002 @@ -3529,7 +3529,7 @@ static int patch_ad1984(struct hda_codec
76004 /* additional digital mics */
76005 spec->mixers[spec->num_mixers++] = ad1984_dmic_mixers;
76006 - codec->patch_ops.build_pcms = ad1984_build_pcms;
76007 + *(void **)&codec->patch_ops.build_pcms = ad1984_build_pcms;
76009 case AD1984_THINKPAD:
76010 spec->multiout.dig_out_nid = AD1884_SPDIF_OUT;
76011 @@ -4229,7 +4229,7 @@ static int patch_ad1884a(struct hda_code
76012 #ifdef CONFIG_SND_HDA_POWER_SAVE
76013 spec->loopback.amplist = ad1884a_loopbacks;
76015 - codec->patch_ops = ad198x_patch_ops;
76016 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
76018 /* override some parameters */
76019 board_config = snd_hda_check_board_config(codec, AD1884A_MODELS,
76020 @@ -4240,8 +4240,8 @@ static int patch_ad1884a(struct hda_code
76021 spec->mixers[0] = ad1884a_laptop_mixers;
76022 spec->init_verbs[spec->num_init_verbs++] = ad1884a_laptop_verbs;
76023 spec->multiout.dig_out_nid = 0;
76024 - codec->patch_ops.unsol_event = ad1884a_laptop_unsol_event;
76025 - codec->patch_ops.init = ad1884a_laptop_init;
76026 + *(void **)&codec->patch_ops.unsol_event = ad1884a_laptop_unsol_event;
76027 + *(void **)&codec->patch_ops.init = ad1884a_laptop_init;
76028 /* set the upper-limit for mixer amp to 0dB for avoiding the
76029 * possible damage by overloading
76031 @@ -4255,8 +4255,8 @@ static int patch_ad1884a(struct hda_code
76032 spec->mixers[0] = ad1884a_mobile_mixers;
76033 spec->init_verbs[0] = ad1884a_mobile_verbs;
76034 spec->multiout.dig_out_nid = 0;
76035 - codec->patch_ops.unsol_event = ad1884a_hp_unsol_event;
76036 - codec->patch_ops.init = ad1884a_hp_init;
76037 + *(void **)&codec->patch_ops.unsol_event = ad1884a_hp_unsol_event;
76038 + *(void **)&codec->patch_ops.init = ad1884a_hp_init;
76039 /* set the upper-limit for mixer amp to 0dB for avoiding the
76040 * possible damage by overloading
76042 @@ -4272,15 +4272,15 @@ static int patch_ad1884a(struct hda_code
76043 ad1984a_thinkpad_verbs;
76044 spec->multiout.dig_out_nid = 0;
76045 spec->input_mux = &ad1984a_thinkpad_capture_source;
76046 - codec->patch_ops.unsol_event = ad1984a_thinkpad_unsol_event;
76047 - codec->patch_ops.init = ad1984a_thinkpad_init;
76048 + *(void **)&codec->patch_ops.unsol_event = ad1984a_thinkpad_unsol_event;
76049 + *(void **)&codec->patch_ops.init = ad1984a_thinkpad_init;
76051 case AD1984A_TOUCHSMART:
76052 spec->mixers[0] = ad1984a_touchsmart_mixers;
76053 spec->init_verbs[0] = ad1984a_touchsmart_verbs;
76054 spec->multiout.dig_out_nid = 0;
76055 - codec->patch_ops.unsol_event = ad1984a_touchsmart_unsol_event;
76056 - codec->patch_ops.init = ad1984a_touchsmart_init;
76057 + *(void **)&codec->patch_ops.unsol_event = ad1984a_touchsmart_unsol_event;
76058 + *(void **)&codec->patch_ops.init = ad1984a_touchsmart_init;
76059 /* set the upper-limit for mixer amp to 0dB for avoiding the
76060 * possible damage by overloading
76062 @@ -4607,7 +4607,7 @@ static int patch_ad1882(struct hda_codec
76064 spec->vmaster_nid = 0x04;
76066 - codec->patch_ops = ad198x_patch_ops;
76067 + memcpy((void *)&codec->patch_ops, &ad198x_patch_ops, sizeof(ad198x_patch_ops));
76069 /* override some parameters */
76070 board_config = snd_hda_check_board_config(codec, AD1882_MODELS,
76071 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_atihdmi.c linux-2.6.32.43/sound/pci/hda/patch_atihdmi.c
76072 --- linux-2.6.32.43/sound/pci/hda/patch_atihdmi.c 2011-03-27 14:31:47.000000000 -0400
76073 +++ linux-2.6.32.43/sound/pci/hda/patch_atihdmi.c 2011-08-05 20:33:55.000000000 -0400
76074 @@ -177,7 +177,7 @@ static int patch_atihdmi(struct hda_code
76076 spec->multiout.dig_out_nid = CVT_NID;
76078 - codec->patch_ops = atihdmi_patch_ops;
76079 + memcpy((void *)&codec->patch_ops, &atihdmi_patch_ops, sizeof(atihdmi_patch_ops));
76083 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_ca0110.c linux-2.6.32.43/sound/pci/hda/patch_ca0110.c
76084 --- linux-2.6.32.43/sound/pci/hda/patch_ca0110.c 2011-03-27 14:31:47.000000000 -0400
76085 +++ linux-2.6.32.43/sound/pci/hda/patch_ca0110.c 2011-08-05 20:33:55.000000000 -0400
76086 @@ -525,7 +525,7 @@ static int patch_ca0110(struct hda_codec
76090 - codec->patch_ops = ca0110_patch_ops;
76091 + memcpy((void *)&codec->patch_ops, &ca0110_patch_ops, sizeof(ca0110_patch_ops));
76095 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_cirrus.c linux-2.6.32.43/sound/pci/hda/patch_cirrus.c
76096 --- linux-2.6.32.43/sound/pci/hda/patch_cirrus.c 2011-05-10 22:12:02.000000000 -0400
76097 +++ linux-2.6.32.43/sound/pci/hda/patch_cirrus.c 2011-08-05 20:33:55.000000000 -0400
76098 @@ -1191,7 +1191,7 @@ static int patch_cs420x(struct hda_codec
76102 - codec->patch_ops = cs_patch_ops;
76103 + memcpy((void *)&codec->patch_ops, &cs_patch_ops, sizeof(cs_patch_ops));
76107 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_cmedia.c linux-2.6.32.43/sound/pci/hda/patch_cmedia.c
76108 --- linux-2.6.32.43/sound/pci/hda/patch_cmedia.c 2011-03-27 14:31:47.000000000 -0400
76109 +++ linux-2.6.32.43/sound/pci/hda/patch_cmedia.c 2011-08-05 20:33:55.000000000 -0400
76110 @@ -728,7 +728,7 @@ static int patch_cmi9880(struct hda_code
76112 spec->adc_nids = cmi9880_adc_nids;
76114 - codec->patch_ops = cmi9880_patch_ops;
76115 + memcpy((void *)&codec->patch_ops, &cmi9880_patch_ops, sizeof(cmi9880_patch_ops));
76119 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_conexant.c linux-2.6.32.43/sound/pci/hda/patch_conexant.c
76120 --- linux-2.6.32.43/sound/pci/hda/patch_conexant.c 2011-03-27 14:31:47.000000000 -0400
76121 +++ linux-2.6.32.43/sound/pci/hda/patch_conexant.c 2011-08-05 20:33:55.000000000 -0400
76122 @@ -1119,55 +1119,55 @@ static int patch_cxt5045(struct hda_code
76123 spec->channel_mode = cxt5045_modes,
76126 - codec->patch_ops = conexant_patch_ops;
76127 + memcpy((void *)&codec->patch_ops, &conexant_patch_ops, sizeof(conexant_patch_ops));
76129 board_config = snd_hda_check_board_config(codec, CXT5045_MODELS,
76132 switch (board_config) {
76133 case CXT5045_LAPTOP_HPSENSE:
76134 - codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76135 + *(void **)&codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76136 spec->input_mux = &cxt5045_capture_source;
76137 spec->num_init_verbs = 2;
76138 spec->init_verbs[1] = cxt5045_hp_sense_init_verbs;
76139 spec->mixers[0] = cxt5045_mixers;
76140 - codec->patch_ops.init = cxt5045_init;
76141 + *(void **)&codec->patch_ops.init = cxt5045_init;
76143 case CXT5045_LAPTOP_MICSENSE:
76144 - codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76145 + *(void **)&codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76146 spec->input_mux = &cxt5045_capture_source;
76147 spec->num_init_verbs = 2;
76148 spec->init_verbs[1] = cxt5045_mic_sense_init_verbs;
76149 spec->mixers[0] = cxt5045_mixers;
76150 - codec->patch_ops.init = cxt5045_init;
76151 + *(void **)&codec->patch_ops.init = cxt5045_init;
76154 case CXT5045_LAPTOP_HPMICSENSE:
76155 - codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76156 + *(void **)&codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76157 spec->input_mux = &cxt5045_capture_source;
76158 spec->num_init_verbs = 3;
76159 spec->init_verbs[1] = cxt5045_hp_sense_init_verbs;
76160 spec->init_verbs[2] = cxt5045_mic_sense_init_verbs;
76161 spec->mixers[0] = cxt5045_mixers;
76162 - codec->patch_ops.init = cxt5045_init;
76163 + *(void **)&codec->patch_ops.init = cxt5045_init;
76166 - codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76167 + *(void **)&codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76168 spec->input_mux = &cxt5045_capture_source_benq;
76169 spec->num_init_verbs = 1;
76170 spec->init_verbs[0] = cxt5045_benq_init_verbs;
76171 spec->mixers[0] = cxt5045_mixers;
76172 spec->mixers[1] = cxt5045_benq_mixers;
76173 spec->num_mixers = 2;
76174 - codec->patch_ops.init = cxt5045_init;
76175 + *(void **)&codec->patch_ops.init = cxt5045_init;
76177 case CXT5045_LAPTOP_HP530:
76178 - codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76179 + *(void **)&codec->patch_ops.unsol_event = cxt5045_hp_unsol_event;
76180 spec->input_mux = &cxt5045_capture_source_hp530;
76181 spec->num_init_verbs = 2;
76182 spec->init_verbs[1] = cxt5045_hp_sense_init_verbs;
76183 spec->mixers[0] = cxt5045_mixers_hp530;
76184 - codec->patch_ops.init = cxt5045_init;
76185 + *(void **)&codec->patch_ops.init = cxt5045_init;
76187 #ifdef CONFIG_SND_DEBUG
76189 @@ -1556,7 +1556,7 @@ static int patch_cxt5047(struct hda_code
76190 spec->num_channel_mode = ARRAY_SIZE(cxt5047_modes),
76191 spec->channel_mode = cxt5047_modes,
76193 - codec->patch_ops = conexant_patch_ops;
76194 + memcpy((void *)&codec->patch_ops, &conexant_patch_ops, sizeof(conexant_patch_ops));
76196 board_config = snd_hda_check_board_config(codec, CXT5047_MODELS,
76198 @@ -1565,13 +1565,13 @@ static int patch_cxt5047(struct hda_code
76199 case CXT5047_LAPTOP:
76200 spec->num_mixers = 2;
76201 spec->mixers[1] = cxt5047_hp_spk_mixers;
76202 - codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76203 + *(void **)&codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76205 case CXT5047_LAPTOP_HP:
76206 spec->num_mixers = 2;
76207 spec->mixers[1] = cxt5047_hp_only_mixers;
76208 - codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76209 - codec->patch_ops.init = cxt5047_hp_init;
76210 + *(void **)&codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76211 + *(void **)&codec->patch_ops.init = cxt5047_hp_init;
76213 case CXT5047_LAPTOP_EAPD:
76214 spec->input_mux = &cxt5047_toshiba_capture_source;
76215 @@ -1579,14 +1579,14 @@ static int patch_cxt5047(struct hda_code
76216 spec->mixers[1] = cxt5047_hp_spk_mixers;
76217 spec->num_init_verbs = 2;
76218 spec->init_verbs[1] = cxt5047_toshiba_init_verbs;
76219 - codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76220 + *(void **)&codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76222 #ifdef CONFIG_SND_DEBUG
76224 spec->input_mux = &cxt5047_test_capture_source;
76225 spec->mixers[0] = cxt5047_test_mixer;
76226 spec->init_verbs[0] = cxt5047_test_init_verbs;
76227 - codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76228 + *(void **)&codec->patch_ops.unsol_event = cxt5047_hp_unsol_event;
76231 spec->vmaster_nid = 0x13;
76232 @@ -1904,8 +1904,8 @@ static int patch_cxt5051(struct hda_code
76233 codec->spec = spec;
76234 codec->pin_amp_workaround = 1;
76236 - codec->patch_ops = conexant_patch_ops;
76237 - codec->patch_ops.init = cxt5051_init;
76238 + memcpy((void *)&codec->patch_ops, &conexant_patch_ops, sizeof(conexant_patch_ops));
76239 + *(void **)&codec->patch_ops.init = cxt5051_init;
76241 spec->multiout.max_channels = 2;
76242 spec->multiout.num_dacs = ARRAY_SIZE(cxt5051_dac_nids);
76243 @@ -1923,7 +1923,7 @@ static int patch_cxt5051(struct hda_code
76245 spec->cur_adc_idx = 0;
76247 - codec->patch_ops.unsol_event = cxt5051_hp_unsol_event;
76248 + *(void **)&codec->patch_ops.unsol_event = cxt5051_hp_unsol_event;
76250 board_config = snd_hda_check_board_config(codec, CXT5051_MODELS,
76252 @@ -2372,8 +2372,8 @@ static int patch_cxt5066(struct hda_code
76254 codec->spec = spec;
76256 - codec->patch_ops = conexant_patch_ops;
76257 - codec->patch_ops.init = cxt5066_init;
76258 + memcpy((void *)&codec->patch_ops, &conexant_patch_ops, sizeof(conexant_patch_ops));
76259 + *(void **)&codec->patch_ops.init = cxt5066_init;
76261 spec->dell_automute = 0;
76262 spec->multiout.max_channels = 2;
76263 @@ -2413,7 +2413,7 @@ static int patch_cxt5066(struct hda_code
76264 spec->dell_automute = 1;
76266 case CXT5066_OLPC_XO_1_5:
76267 - codec->patch_ops.unsol_event = cxt5066_unsol_event;
76268 + *(void **)&codec->patch_ops.unsol_event = cxt5066_unsol_event;
76269 spec->init_verbs[0] = cxt5066_init_verbs_olpc;
76270 spec->mixers[spec->num_mixers++] = cxt5066_mixer_master_olpc;
76271 spec->mixers[spec->num_mixers++] = cxt5066_mixers;
76272 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.43/sound/pci/hda/patch_intelhdmi.c
76273 --- linux-2.6.32.43/sound/pci/hda/patch_intelhdmi.c 2011-03-27 14:31:47.000000000 -0400
76274 +++ linux-2.6.32.43/sound/pci/hda/patch_intelhdmi.c 2011-08-05 20:33:55.000000000 -0400
76275 @@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
76290 @@ -656,7 +656,7 @@ static int do_patch_intel_hdmi(struct hd
76291 spec->multiout.dig_out_nid = cvt_nid;
76293 codec->spec = spec;
76294 - codec->patch_ops = intel_hdmi_patch_ops;
76295 + memcpy((void *)&codec->patch_ops, &intel_hdmi_patch_ops, sizeof(intel_hdmi_patch_ops));
76297 snd_hda_eld_proc_new(codec, &spec->sink_eld);
76299 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_nvhdmi.c linux-2.6.32.43/sound/pci/hda/patch_nvhdmi.c
76300 --- linux-2.6.32.43/sound/pci/hda/patch_nvhdmi.c 2011-03-27 14:31:47.000000000 -0400
76301 +++ linux-2.6.32.43/sound/pci/hda/patch_nvhdmi.c 2011-08-05 20:33:55.000000000 -0400
76302 @@ -367,7 +367,7 @@ static int patch_nvhdmi_8ch(struct hda_c
76303 spec->multiout.max_channels = 8;
76304 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
76306 - codec->patch_ops = nvhdmi_patch_ops_8ch;
76307 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_8ch, sizeof(nvhdmi_patch_ops_8ch));
76311 @@ -386,7 +386,7 @@ static int patch_nvhdmi_2ch(struct hda_c
76312 spec->multiout.max_channels = 2;
76313 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
76315 - codec->patch_ops = nvhdmi_patch_ops_2ch;
76316 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_2ch, sizeof(nvhdmi_patch_ops_2ch));
76320 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_realtek.c linux-2.6.32.43/sound/pci/hda/patch_realtek.c
76321 --- linux-2.6.32.43/sound/pci/hda/patch_realtek.c 2011-06-25 12:55:35.000000000 -0400
76322 +++ linux-2.6.32.43/sound/pci/hda/patch_realtek.c 2011-08-05 20:33:55.000000000 -0400
76323 @@ -4856,7 +4856,7 @@ static int patch_alc880(struct hda_codec
76325 spec->vmaster_nid = 0x0c;
76327 - codec->patch_ops = alc_patch_ops;
76328 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76329 if (board_config == ALC880_AUTO)
76330 spec->init_hook = alc880_auto_init;
76331 #ifdef CONFIG_SND_HDA_POWER_SAVE
76332 @@ -6479,7 +6479,7 @@ static int patch_alc260(struct hda_codec
76334 spec->vmaster_nid = 0x08;
76336 - codec->patch_ops = alc_patch_ops;
76337 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76338 if (board_config == ALC260_AUTO)
76339 spec->init_hook = alc260_auto_init;
76340 #ifdef CONFIG_SND_HDA_POWER_SAVE
76341 @@ -9997,7 +9997,7 @@ static int patch_alc882(struct hda_codec
76343 spec->vmaster_nid = 0x0c;
76345 - codec->patch_ops = alc_patch_ops;
76346 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76347 if (board_config == ALC882_AUTO)
76348 spec->init_hook = alc882_auto_init;
76349 #ifdef CONFIG_SND_HDA_POWER_SAVE
76350 @@ -11871,7 +11871,7 @@ static int patch_alc262(struct hda_codec
76352 spec->vmaster_nid = 0x0c;
76354 - codec->patch_ops = alc_patch_ops;
76355 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76356 if (board_config == ALC262_AUTO)
76357 spec->init_hook = alc262_auto_init;
76358 #ifdef CONFIG_SND_HDA_POWER_SAVE
76359 @@ -12950,7 +12950,7 @@ static int patch_alc268(struct hda_codec
76361 spec->vmaster_nid = 0x02;
76363 - codec->patch_ops = alc_patch_ops;
76364 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76365 if (board_config == ALC268_AUTO)
76366 spec->init_hook = alc268_auto_init;
76368 @@ -13636,7 +13636,7 @@ static int patch_alc269(struct hda_codec
76370 spec->vmaster_nid = 0x02;
76372 - codec->patch_ops = alc_patch_ops;
76373 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76374 if (board_config == ALC269_AUTO)
76375 spec->init_hook = alc269_auto_init;
76376 #ifdef CONFIG_SND_HDA_POWER_SAVE
76377 @@ -14741,7 +14741,7 @@ static int patch_alc861(struct hda_codec
76379 spec->vmaster_nid = 0x03;
76381 - codec->patch_ops = alc_patch_ops;
76382 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76383 if (board_config == ALC861_AUTO)
76384 spec->init_hook = alc861_auto_init;
76385 #ifdef CONFIG_SND_HDA_POWER_SAVE
76386 @@ -15727,7 +15727,7 @@ static int patch_alc861vd(struct hda_cod
76388 spec->vmaster_nid = 0x02;
76390 - codec->patch_ops = alc_patch_ops;
76391 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76393 if (board_config == ALC861VD_AUTO)
76394 spec->init_hook = alc861vd_auto_init;
76395 @@ -17652,7 +17652,7 @@ static int patch_alc662(struct hda_codec
76397 spec->vmaster_nid = 0x02;
76399 - codec->patch_ops = alc_patch_ops;
76400 + memcpy((void *)&codec->patch_ops, &alc_patch_ops, sizeof(alc_patch_ops));
76401 if (board_config == ALC662_AUTO)
76402 spec->init_hook = alc662_auto_init;
76403 #ifdef CONFIG_SND_HDA_POWER_SAVE
76404 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_si3054.c linux-2.6.32.43/sound/pci/hda/patch_si3054.c
76405 --- linux-2.6.32.43/sound/pci/hda/patch_si3054.c 2011-03-27 14:31:47.000000000 -0400
76406 +++ linux-2.6.32.43/sound/pci/hda/patch_si3054.c 2011-08-05 20:33:55.000000000 -0400
76407 @@ -275,7 +275,7 @@ static int patch_si3054(struct hda_codec
76410 codec->spec = spec;
76411 - codec->patch_ops = si3054_patch_ops;
76412 + memcpy((void *)&codec->patch_ops, &si3054_patch_ops, sizeof(si3054_patch_ops));
76416 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_sigmatel.c linux-2.6.32.43/sound/pci/hda/patch_sigmatel.c
76417 --- linux-2.6.32.43/sound/pci/hda/patch_sigmatel.c 2011-06-25 12:55:35.000000000 -0400
76418 +++ linux-2.6.32.43/sound/pci/hda/patch_sigmatel.c 2011-08-05 20:33:55.000000000 -0400
76419 @@ -4899,7 +4899,7 @@ static int patch_stac9200(struct hda_cod
76420 if (spec->board_config == STAC_9200_PANASONIC)
76421 spec->hp_detect = 0;
76423 - codec->patch_ops = stac92xx_patch_ops;
76424 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76428 @@ -4981,7 +4981,7 @@ static int patch_stac925x(struct hda_cod
76432 - codec->patch_ops = stac92xx_patch_ops;
76433 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76437 @@ -5125,7 +5125,7 @@ again:
76438 if (spec->board_config == STAC_92HD73XX_NO_JD)
76439 spec->hp_detect = 0;
76441 - codec->patch_ops = stac92xx_patch_ops;
76442 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76444 codec->proc_widget_hook = stac92hd7x_proc_hook;
76446 @@ -5220,7 +5220,7 @@ again:
76447 snd_hda_codec_write_cache(codec, nid, 0,
76448 AC_VERB_SET_CONNECT_SEL, num_dacs);
76450 - codec->patch_ops = stac92xx_patch_ops;
76451 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76453 codec->proc_widget_hook = stac92hd_proc_hook;
76455 @@ -5294,7 +5294,7 @@ static int patch_stac92hd71bxx(struct hd
76458 codec->spec = spec;
76459 - codec->patch_ops = stac92xx_patch_ops;
76460 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76461 spec->num_pins = STAC92HD71BXX_NUM_PINS;
76462 switch (codec->vendor_id) {
76464 @@ -5515,7 +5515,7 @@ again:
76465 spec->gpio_dir |= spec->gpio_led;
76466 spec->gpio_data |= spec->gpio_led;
76467 /* register check_power_status callback. */
76468 - codec->patch_ops.check_power_status =
76469 + *(void **)&codec->patch_ops.check_power_status =
76470 stac92xx_hp_check_power_status;
76473 @@ -5634,7 +5634,7 @@ static int patch_stac922x(struct hda_cod
76477 - codec->patch_ops = stac92xx_patch_ops;
76478 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76480 /* Fix Mux capture level; max to 2 */
76481 snd_hda_override_amp_caps(codec, 0x12, HDA_OUTPUT,
76482 @@ -5757,7 +5757,7 @@ static int patch_stac927x(struct hda_cod
76486 - codec->patch_ops = stac92xx_patch_ops;
76487 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76489 codec->proc_widget_hook = stac927x_proc_hook;
76491 @@ -5880,7 +5880,7 @@ static int patch_stac9205(struct hda_cod
76495 - codec->patch_ops = stac92xx_patch_ops;
76496 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76498 codec->proc_widget_hook = stac9205_proc_hook;
76500 @@ -5974,7 +5974,7 @@ static int patch_stac9872(struct hda_cod
76503 spec->input_mux = &spec->private_imux;
76504 - codec->patch_ops = stac92xx_patch_ops;
76505 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
76509 diff -urNp linux-2.6.32.43/sound/pci/hda/patch_via.c linux-2.6.32.43/sound/pci/hda/patch_via.c
76510 --- linux-2.6.32.43/sound/pci/hda/patch_via.c 2011-03-27 14:31:47.000000000 -0400
76511 +++ linux-2.6.32.43/sound/pci/hda/patch_via.c 2011-08-05 20:33:55.000000000 -0400
76512 @@ -1399,9 +1399,9 @@ static int patch_vt1708(struct hda_codec
76513 spec->num_mixers++;
76516 - codec->patch_ops = via_patch_ops;
76517 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76519 - codec->patch_ops.init = via_auto_init;
76520 + *(void **)&codec->patch_ops.init = via_auto_init;
76521 #ifdef CONFIG_SND_HDA_POWER_SAVE
76522 spec->loopback.amplist = vt1708_loopbacks;
76524 @@ -1870,10 +1870,10 @@ static int patch_vt1709_10ch(struct hda_
76525 spec->num_mixers++;
76528 - codec->patch_ops = via_patch_ops;
76529 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76531 - codec->patch_ops.init = via_auto_init;
76532 - codec->patch_ops.unsol_event = via_unsol_event;
76533 + *(void **)&codec->patch_ops.init = via_auto_init;
76534 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76535 #ifdef CONFIG_SND_HDA_POWER_SAVE
76536 spec->loopback.amplist = vt1709_loopbacks;
76538 @@ -1964,10 +1964,10 @@ static int patch_vt1709_6ch(struct hda_c
76539 spec->num_mixers++;
76542 - codec->patch_ops = via_patch_ops;
76543 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76545 - codec->patch_ops.init = via_auto_init;
76546 - codec->patch_ops.unsol_event = via_unsol_event;
76547 + *(void **)&codec->patch_ops.init = via_auto_init;
76548 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76549 #ifdef CONFIG_SND_HDA_POWER_SAVE
76550 spec->loopback.amplist = vt1709_loopbacks;
76552 @@ -2418,10 +2418,10 @@ static int patch_vt1708B_8ch(struct hda_
76553 spec->num_mixers++;
76556 - codec->patch_ops = via_patch_ops;
76557 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76559 - codec->patch_ops.init = via_auto_init;
76560 - codec->patch_ops.unsol_event = via_unsol_event;
76561 + *(void **)&codec->patch_ops.init = via_auto_init;
76562 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76563 #ifdef CONFIG_SND_HDA_POWER_SAVE
76564 spec->loopback.amplist = vt1708B_loopbacks;
76566 @@ -2470,10 +2470,10 @@ static int patch_vt1708B_4ch(struct hda_
76567 spec->num_mixers++;
76570 - codec->patch_ops = via_patch_ops;
76571 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76573 - codec->patch_ops.init = via_auto_init;
76574 - codec->patch_ops.unsol_event = via_unsol_event;
76575 + *(void **)&codec->patch_ops.init = via_auto_init;
76576 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76577 #ifdef CONFIG_SND_HDA_POWER_SAVE
76578 spec->loopback.amplist = vt1708B_loopbacks;
76580 @@ -2905,10 +2905,10 @@ static int patch_vt1708S(struct hda_code
76581 spec->num_mixers++;
76584 - codec->patch_ops = via_patch_ops;
76585 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76587 - codec->patch_ops.init = via_auto_init;
76588 - codec->patch_ops.unsol_event = via_unsol_event;
76589 + *(void **)&codec->patch_ops.init = via_auto_init;
76590 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76591 #ifdef CONFIG_SND_HDA_POWER_SAVE
76592 spec->loopback.amplist = vt1708S_loopbacks;
76594 @@ -3223,10 +3223,10 @@ static int patch_vt1702(struct hda_codec
76595 spec->num_mixers++;
76598 - codec->patch_ops = via_patch_ops;
76599 + memcpy((void *)&codec->patch_ops, &via_patch_ops, sizeof(via_patch_ops));
76601 - codec->patch_ops.init = via_auto_init;
76602 - codec->patch_ops.unsol_event = via_unsol_event;
76603 + *(void **)&codec->patch_ops.init = via_auto_init;
76604 + *(void **)&codec->patch_ops.unsol_event = via_unsol_event;
76605 #ifdef CONFIG_SND_HDA_POWER_SAVE
76606 spec->loopback.amplist = vt1702_loopbacks;
76608 diff -urNp linux-2.6.32.43/sound/pci/ice1712/ice1712.h linux-2.6.32.43/sound/pci/ice1712/ice1712.h
76609 --- linux-2.6.32.43/sound/pci/ice1712/ice1712.h 2011-03-27 14:31:47.000000000 -0400
76610 +++ linux-2.6.32.43/sound/pci/ice1712/ice1712.h 2011-08-05 20:33:55.000000000 -0400
76611 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
76612 unsigned int mask_flags; /* total mask bits */
76613 struct snd_akm4xxx_ops {
76614 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
76616 + } __no_const ops;
76619 struct snd_ice1712_spdif {
76620 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
76621 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76622 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76623 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
76625 + } __no_const ops;
76629 diff -urNp linux-2.6.32.43/sound/pci/intel8x0m.c linux-2.6.32.43/sound/pci/intel8x0m.c
76630 --- linux-2.6.32.43/sound/pci/intel8x0m.c 2011-03-27 14:31:47.000000000 -0400
76631 +++ linux-2.6.32.43/sound/pci/intel8x0m.c 2011-04-23 12:56:12.000000000 -0400
76632 @@ -1264,7 +1264,7 @@ static struct shortname_table {
76633 { 0x5455, "ALi M5455" },
76634 { 0x746d, "AMD AMD8111" },
76640 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
76641 diff -urNp linux-2.6.32.43/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.43/sound/pci/ymfpci/ymfpci_main.c
76642 --- linux-2.6.32.43/sound/pci/ymfpci/ymfpci_main.c 2011-03-27 14:31:47.000000000 -0400
76643 +++ linux-2.6.32.43/sound/pci/ymfpci/ymfpci_main.c 2011-05-04 17:56:28.000000000 -0400
76644 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
76645 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
76648 - if (atomic_read(&chip->interrupt_sleep_count)) {
76649 - atomic_set(&chip->interrupt_sleep_count, 0);
76650 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
76651 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76652 wake_up(&chip->interrupt_sleep);
76655 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
76657 init_waitqueue_entry(&wait, current);
76658 add_wait_queue(&chip->interrupt_sleep, &wait);
76659 - atomic_inc(&chip->interrupt_sleep_count);
76660 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
76661 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
76662 remove_wait_queue(&chip->interrupt_sleep, &wait);
76664 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
76665 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
76666 spin_unlock(&chip->reg_lock);
76668 - if (atomic_read(&chip->interrupt_sleep_count)) {
76669 - atomic_set(&chip->interrupt_sleep_count, 0);
76670 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
76671 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76672 wake_up(&chip->interrupt_sleep);
76675 @@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
76676 spin_lock_init(&chip->reg_lock);
76677 spin_lock_init(&chip->voice_lock);
76678 init_waitqueue_head(&chip->interrupt_sleep);
76679 - atomic_set(&chip->interrupt_sleep_count, 0);
76680 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
76684 diff -urNp linux-2.6.32.43/sound/soc/soc-core.c linux-2.6.32.43/sound/soc/soc-core.c
76685 --- linux-2.6.32.43/sound/soc/soc-core.c 2011-03-27 14:31:47.000000000 -0400
76686 +++ linux-2.6.32.43/sound/soc/soc-core.c 2011-08-05 20:33:55.000000000 -0400
76687 @@ -1107,13 +1107,13 @@ static int soc_new_pcm(struct snd_soc_de
76689 dai_link->pcm = pcm;
76690 pcm->private_data = rtd;
76691 - soc_pcm_ops.mmap = platform->pcm_ops->mmap;
76692 - soc_pcm_ops.pointer = platform->pcm_ops->pointer;
76693 - soc_pcm_ops.ioctl = platform->pcm_ops->ioctl;
76694 - soc_pcm_ops.copy = platform->pcm_ops->copy;
76695 - soc_pcm_ops.silence = platform->pcm_ops->silence;
76696 - soc_pcm_ops.ack = platform->pcm_ops->ack;
76697 - soc_pcm_ops.page = platform->pcm_ops->page;
76698 + *(void **)&soc_pcm_ops.mmap = platform->pcm_ops->mmap;
76699 + *(void **)&soc_pcm_ops.pointer = platform->pcm_ops->pointer;
76700 + *(void **)&soc_pcm_ops.ioctl = platform->pcm_ops->ioctl;
76701 + *(void **)&soc_pcm_ops.copy = platform->pcm_ops->copy;
76702 + *(void **)&soc_pcm_ops.silence = platform->pcm_ops->silence;
76703 + *(void **)&soc_pcm_ops.ack = platform->pcm_ops->ack;
76704 + *(void **)&soc_pcm_ops.page = platform->pcm_ops->page;
76707 snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_PLAYBACK, &soc_pcm_ops);
76708 diff -urNp linux-2.6.32.43/sound/usb/usbaudio.c linux-2.6.32.43/sound/usb/usbaudio.c
76709 --- linux-2.6.32.43/sound/usb/usbaudio.c 2011-03-27 14:31:47.000000000 -0400
76710 +++ linux-2.6.32.43/sound/usb/usbaudio.c 2011-08-05 20:33:55.000000000 -0400
76711 @@ -963,12 +963,12 @@ static int snd_usb_pcm_playback_trigger(
76713 case SNDRV_PCM_TRIGGER_START:
76714 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
76715 - subs->ops.prepare = prepare_playback_urb;
76716 + *(void **)&subs->ops.prepare = prepare_playback_urb;
76718 case SNDRV_PCM_TRIGGER_STOP:
76719 return deactivate_urbs(subs, 0, 0);
76720 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
76721 - subs->ops.prepare = prepare_nodata_playback_urb;
76722 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
76726 @@ -985,15 +985,15 @@ static int snd_usb_pcm_capture_trigger(s
76729 case SNDRV_PCM_TRIGGER_START:
76730 - subs->ops.retire = retire_capture_urb;
76731 + *(void **)&subs->ops.retire = retire_capture_urb;
76732 return start_urbs(subs, substream->runtime);
76733 case SNDRV_PCM_TRIGGER_STOP:
76734 return deactivate_urbs(subs, 0, 0);
76735 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
76736 - subs->ops.retire = retire_paused_capture_urb;
76737 + *(void **)&subs->ops.retire = retire_paused_capture_urb;
76739 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
76740 - subs->ops.retire = retire_capture_urb;
76741 + *(void **)&subs->ops.retire = retire_capture_urb;
76745 @@ -1542,7 +1542,7 @@ static int snd_usb_pcm_prepare(struct sn
76746 /* for playback, submit the URBs now; otherwise, the first hwptr_done
76747 * updates for all URBs would happen at the same time when starting */
76748 if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK) {
76749 - subs->ops.prepare = prepare_nodata_playback_urb;
76750 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
76751 return start_urbs(subs, runtime);
76754 @@ -2228,14 +2228,14 @@ static void init_substream(struct snd_us
76755 subs->direction = stream;
76756 subs->dev = as->chip->dev;
76757 if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL) {
76758 - subs->ops = audio_urb_ops[stream];
76759 + memcpy((void *)&subs->ops, &audio_urb_ops[stream], sizeof(subs->ops));
76761 - subs->ops = audio_urb_ops_high_speed[stream];
76762 + memcpy((void *)&subs->ops, &audio_urb_ops_high_speed[stream], sizeof(subs->ops));
76763 switch (as->chip->usb_id) {
76764 case USB_ID(0x041e, 0x3f02): /* E-Mu 0202 USB */
76765 case USB_ID(0x041e, 0x3f04): /* E-Mu 0404 USB */
76766 case USB_ID(0x041e, 0x3f0a): /* E-Mu Tracker Pre */
76767 - subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
76768 + *(void **)&subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
76772 diff -urNp linux-2.6.32.43/tools/gcc/constify_plugin.c linux-2.6.32.43/tools/gcc/constify_plugin.c
76773 --- linux-2.6.32.43/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
76774 +++ linux-2.6.32.43/tools/gcc/constify_plugin.c 2011-08-05 20:33:55.000000000 -0400
76777 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
76778 + * Licensed under the GPL v2, or (at your option) v3
76780 + * This gcc plugin constifies all structures which contain only function pointers and const fields.
76783 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o const_plugin.so const_plugin.c
76784 + * $ gcc -fplugin=const_plugin.so test.c -O2
76787 +#include "gcc-plugin.h"
76788 +#include "config.h"
76789 +#include "system.h"
76790 +#include "coretypes.h"
76792 +#include "tree-pass.h"
76794 +#include "plugin-version.h"
76796 +#include "toplev.h"
76797 +#include "function.h"
76798 +#include "tree-flow.h"
76799 +#include "plugin.h"
76801 +int plugin_is_GPL_compatible;
76803 +static struct plugin_info const_plugin_info = {
76804 + .version = "20110706",
76805 + .help = "no-constify\tturn off constification\n",
76808 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
76810 + return NULL_TREE;
76813 +static struct attribute_spec no_const_attr = {
76814 + .name = "no_const",
76817 + .decl_required = false,
76818 + .type_required = false,
76819 + .function_type_required = false,
76820 + .handler = handle_no_const_attribute
76823 +static void register_attributes(void *event_data, void *data)
76825 + register_attribute(&no_const_attr);
76829 +static void printnode(char *prefix, tree node)
76831 + enum tree_code code;
76832 + enum tree_code_class tclass;
76834 + tclass = TREE_CODE_CLASS(TREE_CODE (node));
76836 + code = TREE_CODE(node);
76837 + fprintf(stderr, "\n%s node: %p, code: %d type: %s\n", prefix, node, code, tree_code_name[(int)code]);
76838 + if (DECL_CONTEXT(node) != NULL_TREE && TYPE_NAME(DECL_CONTEXT(node)) != NULL_TREE)
76839 + fprintf(stderr, "struct name: %s\n", IDENTIFIER_POINTER(TYPE_NAME(DECL_CONTEXT(node))));
76840 + if (tclass == tcc_declaration && DECL_NAME(node) != NULL_TREE)
76841 + fprintf(stderr, "field name: %s\n", IDENTIFIER_POINTER(DECL_NAME(node)));
76845 +static void constify_node(tree node)
76847 + TREE_READONLY(node) = 1;
76850 +static bool is_fptr(tree field)
76852 + tree ptr = TREE_TYPE(field);
76854 + if (TREE_CODE(ptr) != POINTER_TYPE)
76857 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
76860 +static bool walk_struct(tree node)
76864 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
76865 + enum tree_code code = TREE_CODE(TREE_TYPE(field));
76866 + if (code == RECORD_TYPE) {
76867 + if (!(walk_struct(TREE_TYPE(field))))
76869 + } else if (is_fptr(field) == false && !TREE_READONLY(field))
76875 +static void finish_type(void *event_data, void *data)
76877 + tree node = (tree)event_data;
76879 + if (node == NULL_TREE)
76882 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
76885 + if (TREE_READONLY(node))
76888 + if (TYPE_FIELDS(node) == NULL_TREE)
76891 + if (walk_struct(node))
76892 + constify_node(node);
76895 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
76897 + const char * const plugin_name = plugin_info->base_name;
76898 + const int argc = plugin_info->argc;
76899 + const struct plugin_argument * const argv = plugin_info->argv;
76901 + bool constify = true;
76903 + if (!plugin_default_version_check(version, &gcc_version)) {
76904 + error(G_("incompatible gcc/plugin versions"));
76908 + for (i = 0; i < argc; ++i) {
76909 + if (!(strcmp(argv[i].key, "no-constify"))) {
76910 + constify = false;
76913 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
76916 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
76918 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
76919 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
76923 Binary files linux-2.6.32.43/tools/gcc/constify_plugin.so and linux-2.6.32.43/tools/gcc/constify_plugin.so differ
76924 diff -urNp linux-2.6.32.43/tools/gcc/Makefile linux-2.6.32.43/tools/gcc/Makefile
76925 --- linux-2.6.32.43/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
76926 +++ linux-2.6.32.43/tools/gcc/Makefile 2011-08-05 20:33:55.000000000 -0400
76929 +#PLUGIN_SOURCE_FILES := pax_plugin.c
76930 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
76931 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
76932 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
76934 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
76936 +hostlibs-y := stackleak_plugin.so constify_plugin.so
76937 +always := $(hostlibs-y)
76938 +stackleak_plugin-objs := stackleak_plugin.o
76939 +constify_plugin-objs := constify_plugin.o
76940 Binary files linux-2.6.32.43/tools/gcc/pax_plugin.so and linux-2.6.32.43/tools/gcc/pax_plugin.so differ
76941 diff -urNp linux-2.6.32.43/tools/gcc/stackleak_plugin.c linux-2.6.32.43/tools/gcc/stackleak_plugin.c
76942 --- linux-2.6.32.43/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
76943 +++ linux-2.6.32.43/tools/gcc/stackleak_plugin.c 2011-08-05 20:33:55.000000000 -0400
76946 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
76947 + * Licensed under the GPL v2
76949 + * Note: the choice of the license means that the compilation process is
76950 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
76951 + * but for the kernel it doesn't matter since it doesn't link against
76952 + * any of the gcc libraries
76954 + * gcc plugin to help implement various PaX features
76956 + * - track lowest stack pointer
76959 + * - initialize all local variables
76962 + * - cloned functions are instrumented twice
76964 +#include "gcc-plugin.h"
76965 +#include "plugin-version.h"
76966 +#include "config.h"
76967 +#include "system.h"
76968 +#include "coretypes.h"
76970 +#include "toplev.h"
76971 +#include "basic-block.h"
76972 +#include "gimple.h"
76973 +//#include "expr.h" where are you...
76974 +#include "diagnostic.h"
76976 +#include "emit-rtl.h"
76977 +#include "function.h"
76979 +#include "tree-pass.h"
76982 +int plugin_is_GPL_compatible;
76984 +static int track_frame_size = -1;
76985 +static const char track_function[] = "pax_track_stack";
76986 +static bool init_locals;
76988 +static struct plugin_info stackleak_plugin_info = {
76989 + .version = "201106030000",
76990 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
76991 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
76994 +static bool gate_stackleak_track_stack(void);
76995 +static unsigned int execute_stackleak_tree_instrument(void);
76996 +static unsigned int execute_stackleak_final(void);
76998 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
77000 + .type = GIMPLE_PASS,
77001 + .name = "stackleak_tree_instrument",
77002 + .gate = gate_stackleak_track_stack,
77003 + .execute = execute_stackleak_tree_instrument,
77006 + .static_pass_number = 0,
77007 + .tv_id = TV_NONE,
77008 + .properties_required = PROP_gimple_leh | PROP_cfg,
77009 + .properties_provided = 0,
77010 + .properties_destroyed = 0,
77011 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
77012 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
77016 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
77018 + .type = RTL_PASS,
77019 + .name = "stackleak_final",
77020 + .gate = gate_stackleak_track_stack,
77021 + .execute = execute_stackleak_final,
77024 + .static_pass_number = 0,
77025 + .tv_id = TV_NONE,
77026 + .properties_required = 0,
77027 + .properties_provided = 0,
77028 + .properties_destroyed = 0,
77029 + .todo_flags_start = 0,
77030 + .todo_flags_finish = 0
77034 +static bool gate_stackleak_track_stack(void)
77036 + return track_frame_size >= 0;
77039 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
77044 + // insert call to void pax_track_stack(void)
77045 + type = build_function_type_list(void_type_node, NULL_TREE);
77046 + decl = build_fn_decl(track_function, type);
77047 + DECL_ASSEMBLER_NAME(decl); // for LTO
77048 + call = gimple_build_call(decl, 0);
77050 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
77052 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
77055 +static unsigned int execute_stackleak_tree_instrument(void)
77058 + gimple_stmt_iterator gsi;
77060 + // 1. loop through BBs and GIMPLE statements
77061 + FOR_EACH_BB(bb) {
77062 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
77063 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
77065 + gimple stmt = gsi_stmt(gsi);
77067 + if (!is_gimple_call(stmt))
77069 + decl = gimple_call_fndecl(stmt);
77072 + if (TREE_CODE(decl) != FUNCTION_DECL)
77074 + if (!DECL_BUILT_IN(decl))
77076 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
77078 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
77081 + // 2. insert track call after each __builtin_alloca call
77082 + stackleak_add_instrumentation(&gsi, false);
77083 +// print_node(stderr, "pax", decl, 4);
77087 + // 3. insert track call at the beginning
77088 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
77089 + gsi = gsi_start_bb(bb);
77090 + stackleak_add_instrumentation(&gsi, true);
77095 +static unsigned int execute_stackleak_final(void)
77099 + if (cfun->calls_alloca)
77102 + // 1. find pax_track_stack calls
77103 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
77104 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
77107 + if (!CALL_P(insn))
77109 + body = PATTERN(insn);
77110 + if (GET_CODE(body) != CALL)
77112 + body = XEXP(body, 0);
77113 + if (GET_CODE(body) != MEM)
77115 + body = XEXP(body, 0);
77116 + if (GET_CODE(body) != SYMBOL_REF)
77118 + if (strcmp(XSTR(body, 0), track_function))
77120 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
77121 + // 2. delete call if function frame is not big enough
77122 + if (get_frame_size() >= track_frame_size)
77124 + delete_insn_and_edges(insn);
77127 +// print_simple_rtl(stderr, get_insns());
77128 +// print_rtl(stderr, get_insns());
77129 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
77134 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
77136 + const char * const plugin_name = plugin_info->base_name;
77137 + const int argc = plugin_info->argc;
77138 + const struct plugin_argument * const argv = plugin_info->argv;
77140 + struct register_pass_info stackleak_tree_instrument_pass_info = {
77141 + .pass = &stackleak_tree_instrument_pass.pass,
77142 +// .reference_pass_name = "tree_profile",
77143 + .reference_pass_name = "optimized",
77144 + .ref_pass_instance_number = 0,
77145 + .pos_op = PASS_POS_INSERT_AFTER
77147 + struct register_pass_info stackleak_final_pass_info = {
77148 + .pass = &stackleak_final_rtl_opt_pass.pass,
77149 + .reference_pass_name = "final",
77150 + .ref_pass_instance_number = 0,
77151 + .pos_op = PASS_POS_INSERT_BEFORE
77154 + if (!plugin_default_version_check(version, &gcc_version)) {
77155 + error(G_("incompatible gcc/plugin versions"));
77159 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
77161 + for (i = 0; i < argc; ++i) {
77162 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
77163 + if (!argv[i].value) {
77164 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77167 + track_frame_size = atoi(argv[i].value);
77168 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
77169 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
77172 + if (!strcmp(argv[i].key, "initialize-locals")) {
77173 + if (argv[i].value) {
77174 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
77177 + init_locals = true;
77180 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
77183 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
77184 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
77188 Binary files linux-2.6.32.43/tools/gcc/stackleak_plugin.so and linux-2.6.32.43/tools/gcc/stackleak_plugin.so differ
77189 diff -urNp linux-2.6.32.43/usr/gen_init_cpio.c linux-2.6.32.43/usr/gen_init_cpio.c
77190 --- linux-2.6.32.43/usr/gen_init_cpio.c 2011-03-27 14:31:47.000000000 -0400
77191 +++ linux-2.6.32.43/usr/gen_init_cpio.c 2011-04-17 15:56:46.000000000 -0400
77192 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
77201 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
77202 *env_var = *expanded = '\0';
77203 strncat(env_var, start + 2, end - start - 2);
77204 strncat(expanded, new_location, start - new_location);
77205 - strncat(expanded, getenv(env_var), PATH_MAX);
77206 - strncat(expanded, end + 1, PATH_MAX);
77207 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
77208 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
77209 strncpy(new_location, expanded, PATH_MAX);
77210 + new_location[PATH_MAX] = 0;
77214 diff -urNp linux-2.6.32.43/virt/kvm/kvm_main.c linux-2.6.32.43/virt/kvm/kvm_main.c
77215 --- linux-2.6.32.43/virt/kvm/kvm_main.c 2011-03-27 14:31:47.000000000 -0400
77216 +++ linux-2.6.32.43/virt/kvm/kvm_main.c 2011-08-05 20:33:55.000000000 -0400
77217 @@ -2494,7 +2494,7 @@ asmlinkage void kvm_handle_fault_on_rebo
77219 /* spin while reset goes on */
77223 /* Fault while not rebooting. We want the trace. */
77226 @@ -2714,7 +2714,7 @@ static void kvm_sched_out(struct preempt
77227 kvm_arch_vcpu_put(vcpu);
77230 -int kvm_init(void *opaque, unsigned int vcpu_size,
77231 +int kvm_init(const void *opaque, unsigned int vcpu_size,
77232 struct module *module)
77235 @@ -2767,15 +2767,17 @@ int kvm_init(void *opaque, unsigned int
77236 /* A kmem cache lets us meet the alignment requirements of fx_save. */
77237 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
77238 __alignof__(struct kvm_vcpu),
77240 + SLAB_USERCOPY, NULL);
77241 if (!kvm_vcpu_cache) {
77246 - kvm_chardev_ops.owner = module;
77247 - kvm_vm_fops.owner = module;
77248 - kvm_vcpu_fops.owner = module;
77249 + pax_open_kernel();
77250 + *(void **)&kvm_chardev_ops.owner = module;
77251 + *(void **)&kvm_vm_fops.owner = module;
77252 + *(void **)&kvm_vcpu_fops.owner = module;
77253 + pax_close_kernel();
77255 r = misc_register(&kvm_dev);
projects / thirdparty / grsecurity-scrape.git / blob